Creating principal with +needchange and -pwexpire?
Andreas Ntaflos
andreas.ntaflos at rise-world.com
Tue Nov 9 10:16:14 EST 2010
Hello list,
I am not quite new to Kerberos but never had to do much more than create
and delete principals so I am not very experienced administrating
Kerberos. Thus my question. I am using Ubuntu 10.04 Server, krb5-kdc and
krb5-admin-server in version 1.8.1 (1.8.1+dfsg-2ubuntu0.3 to be exact).
Is it possible to create a new principal that requires its user to
change the password and expires after a certain time if the user does
not log in to change it?
I would have thought that the following command does what I want:
kadmin.local -q "addprinc +needchange +requires_preauth \
-pwexpire '15 minutes' -pw secret foobar"
If I understand correctly this adds a new principal foobar with password
"secret" that should expire in 15 minutes and needs to change the
password on the next kinit call. The "requires_preauth" seems to be set
by the default policy and needs to be there, otherwise the principal
cannot be authenticated.
Unfortunately the user can still log in (and is prompted to change his
password by the system) even after the temporary password is past its
expiration date.
Why so? Does "+needchange" take precedence over any password expiration
date?
I want to do this because we create principals by Python scripts and
send users the credentials by unencrypted email, including a temporary
password. This password must be changed by the user and we don't want
the temporary password to be valid forever if a user is too lazy to log
in and change it in time. If it were anyone who manages to get hold of
the email message containing the credentials could use the account.
Minimising that risk is just good security policy although in reality
that particular scenario is not very likely to really occur.
Thanks in advance!
Andreas
--
Andreas Ntaflos
Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101109/ea9767be/attachment.bin
More information about the Kerberos
mailing list