Request to change MIT Kerberos behavior when principal is expired, deleted or password changed

Nico Williams nico at cryptonector.com
Thu Mar 6 15:37:54 EST 2014


On Thu, Mar 6, 2014 at 1:31 PM, Edgecombe, Jason <jwedgeco at uncc.edu> wrote:
> Does Heimdal reject requests for expired/disabled accounts as well?

It rejects in these cases:

 - the HDB doesn't have an entry for the client principal but should have
 - the HDB did have an entry and the client principal was marked locked out
 - the HDB did have an entry and the client principal was marked invalid
 - the HDB did have an entry and the client principal was marked not a client
 - the HDB did have an entry and the client principal's valid_start
(which is only really supported via the LDAP HDB backend)
 - the HDB did have an entry and the client principal requires a password change
 - the HDB did have an entry and the client principal's password is expired

It'd be trivial to reject requests using tickets predating the last
password change.

Nico
--


More information about the Kerberos mailing list