Expired passwords and tickets

Russ Allbery rra at stanford.edu
Fri Sep 9 12:37:24 EDT 2011


Mauricio Tavares <raubvogel at gmail.com> writes:

> Let's say I have user principal passwords set to expire after X months. So,

> o To renew/change a user principal password before it expires, the
> said user must have a ticket, right?

Yes, but users are allowed to get tickets for kadmin/changepw even if
their password is expired.

> o A user should be able to change the user principal password in, say, a
> Mac without much fuss. What if user is in a Windows box which connected
> to the KDC using the Microsoft kerberos stack (as opposite to KFW)?

This I don't know.  It's supposed to handle the expiration notification
and switch to doing a forced password change, but I don't know if that all
works properly.

> o If the password has expired, is the only way to renew it to login as
> an admin and change it?

No, see above.

> o Is there a way to reminding user of impending doom, i.e. of password
> expiration date steadily approaching?

The KDC sends that information to the client, which has the option of
displaying it.  Whether it does so depends on the client.  kinit, PAM
modules, etc. generally will.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list