Kerberos password expiration
Greg Hudson
ghudson at MIT.EDU
Tue Mar 22 11:59:06 EDT 2011
On Tue, 2011-03-22 at 10:33 -0400, Claudio Prono wrote:
> I have the users already working, but now how i can set a password
> expiration policy?
In MIT krb5 you'd do it like this:
1. Run kadmin or kadmin.local
2. Create a password policy with 'addpol -maxlife "90 days" polname',
where polname can be any name you want. You can make further changes to
the policy with the modpol command.
3. Associate the policy with the users with 'modprinc -policy polname
userprinc', for each user principal.
4. The next time the users change passwords, they will get a 90-day
expiry time.
5. You can set a one-time expiration for a user's current password with
'modprinc -pwexpire "90 days" userprinc'.
More information about the Kerberos
mailing list