Options for enforcing password policies

Russ Allbery rra at stanford.edu
Wed May 22 21:08:18 EDT 2013

Jason Edgecombe <jason at rampaginggeek.com> writes:

> On Linux & windows, how are users notified that their password is about 
> to expire?

Kerberos supports, in the protocol, a field in the Kerberos KDC reply
saying when the keys for the principal (aka the password) will expire (and
when the principal will expire if the whole principal has an expiration
date set).  I believe both MIT Kerberos and Active Directory set it and
Heimdal doesn't, although I'm not positive about the last.

With MIT Kerberos, the client is then supposed to call
krb5_get_init_creds_opt_set_expire_callback to set a callback that will
receive the password and account expiration times along with some other
information.  I believe that the MIT kinit implementation does this.  My
PAM module and k5start do *not* do this (because I only found out about
this facility in the last month).

It looks like Heimdal handles the password expiration display internally
(configured with warn_pwexpire) rather than exposing a callback to the
client of the library, which means that you always get the warning if you
configure a prompter (which PAM and k5start do), but you don't have
application control over it.

I'm not sure if MIT displays the expiration warning by default if no
callback is set.  (I'd check, but I'm feeling lazy at the moment.)

> How can you do this on windows when the passwords in a different realm 
> with cross-realm trust? (i.e. windows is part of an AD domain that 
> trusts our MIT KDC).

All of the above should work through cross-realm scenarios.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list