Creating principal with +needchange and -pwexpire?

Andreas Ntaflos daff at pseudoterminal.org
Tue Nov 9 12:20:10 EST 2010 

On Tuesday 09 November 2010 17:53:04 Russ Allbery wrote:
> Andreas Ntaflos <daff at pseudoterminal.org> writes:
> > I would have thought that the following command does what I want:
> > 
> > kadmin.local -q "addprinc +needchange +requires_preauth \
> > 
> >   -pwexpire '15 minutes' -pw secret foobar"
> > 
> > If I understand correctly this adds a new principal foobar with
> > password "secret" that should expire in 15 minutes and needs to
> > change the password on the next kinit call. The "requires_preauth"
> > seems to be set by the default policy and needs to be there,
> > otherwise the principal cannot be authenticated.
> > 
> > Unfortunately the user can still log in (and is prompted to change
> > his password by the system) even after the temporary password is
> > past its expiration date.
> > 
> > Why so? Does "+needchange" take precedence over any password
> > expiration date?
> 
> No, password expiration dates don't mean what you think they mean.  A
> password expiration date is the date after which the user is forced
> to change their password.  It doesn't disable the principal
> entirely.  An expired password configured via -pwexpire is exactly
> equivalent to marking the account with +needschange, so far as I can
> determine, except that +needschange is cleared completely on the
> next password change but -pwexpire dates are pushed out by the
> password expiration time from the password policy.

Interesting, I really misunderstood what password expiration dates mean. 
Thanks for the explanation!

> I don't think there's a way to do what you want entirely
> automatically. You can set an expiration on the *principal*, but
> that isn't cleared automatically on password change; you'll need
> some process to go back and clear those expirations if the user
> changed their password.

That is unfortunate but not the end of the world. Devising such a 
process shouldn't be too difficult, maybe using cron or at.

Anyway, thank you very much for the quick and helpful reply!

Andreas
-- 
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101109/c05f67a0/attachment.bin

More information about the Kerberos mailing list