kadmin-remctl 3.6 released
Russ Allbery
eagle at eyrie.org
Wed Jan 15 18:55:01 EST 2014
I'm pleased to announce release 3.6 of kadmin-remctl.
kadmin-remctl provides a remctl backend that implements basic Kerberos
account administration functions (create, delete, enable, disable, reset
password, examine) plus user password changes and a call to strength-check
a given password. It can also provide similar management of instances and
creation, deletion, and management of accounts in Heimdal, MIT Kerberos,
Active Directory, and an AFS kaserver where appropriate. Also included is
a client for privileged users to use for password resets and a simple
client for password chnages via the Kerberos password change protocol.
Many of the defaults and namespace checks are Stanford-specific, but it
can be modified for other sites.
Changes from previous release:
Add a new per-instance configuration option to set the password
expiration time for newly-created principals. Be aware that this only
controls the initial expiration period. After the first password
change, further expiration periods are normally controlled by the KDC
configuration or policy.
In the Heimdal backend, map password quality errors on account
creation or password reset to a generic error. The kadmin protocol
doesn't have a mechanism for passing back the rich error message from
the password quality check, so all failures use the same error string.
Remap it here, since the error message from Heimdal is of dubious
accuracy. This will only apply to sites that have patched Heimdal to
do password quality checks on administrative operations.
Update to rra-c-util 5.1:
* Don't attempt to use Kerberos if no Kerberos error APIs were found.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
You can download it from:
<http://www.eyrie.org/~eagle/software/kadmin-remctl/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list