[krbdev.mit.edu #415] The current behavior of kadmind makes using minimum password lifetimes difficult
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Dec 18 15:53:45 EST 2007
[RT_System - Mon Aug 19 14:16:54 2002]:
> From kenh at cmf.nrl.navy.mil Thu Apr 10 13:43:08 1997
> Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by
> rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for <bugs at RT-
> 11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400
> Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
> id AA25519; Thu, 10 Apr 97 12:42:36 EST
> Received: from nexus.cmf.nrl.navy.mil (kenh at nexus.cmf.nrl.navy.mil
> [134.207.10.9])
> by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494
> for <krb5-bugs at mit.edu>; Thu, 10 Apr 1997 13:42:41 -0400 (EDT)
> Received: (from kenh at localhost)
> by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219;
> Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
> Message-Id: <199704101742.NAA05219 at nexus.cmf.nrl.navy.mil>
> Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
> From: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Reply-To: kenh at cmf.nrl.navy.mil
> To: krb5-bugs at MIT.EDU
> Subject: Don't update the last password change field for new users
> X-Send-Pr-Version: 3.99
>
> >Number: 415
> >Category: krb5-admin
> >Synopsis: The current behavior of kadmind makes using minimum
> password lifetimes difficult
> >Confidential: no
> >Severity: non-critical
> >Priority: medium
> >Responsible: bjaspan
> >State: open
> >Class: change-request
> >Submitter-Id: unknown
> >Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
> >Last-Modified:
> >Originator: Ken Hornstein
> >Organization:
> Navel Research Lab
>
> >Release: 1.0
> >Environment:
>
> System: SunOS nexus 4.1.4 3 sun4m
> Architecture: sun4
>
> >Description:
>
> The current way kadmind works makes it difficult to use minimum
> password
> lifetimes.
>
> When you create a user, the "last password change" field is updated so
> it
> has the time the account was created. This is problematic if you set
> a
> minimum password lifetime; if you want new users to change their
> passwords
> right away, you have to wait until the minimum password lifetime has
> lapsed
> until they can change their password, and that simply doesn't make
> sense.
> >How-To-Repeat:
>
> Create a user with a long minimum password lifetime, and tell them to
> change
> their passwords right away.
> >Fix:
>
> This simple patch makes it so newly created accounts don't have a
> password change time.
>
> --- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
> +++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
> @@ -212,13 +212,6 @@
> return(ret);
> }
>
> - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb,
> now)) {
> - krb5_dbe_free_contents(handle->context, &kdb);
> - if (mask & KADM5_POLICY)
> - (void) kadm5_free_policy_ent(handle->lhandle, &polent);
> - return(ret);
> - }
> -
> /* initialize the keys */
>
> if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
> >Audit-Trail:
> >Unformatted:
The current behavior of principal creation setting the "last_pwd_change" to "now" is in
accordance with the kadm5 API specification. If you want to require users with minimum
password lifetimes to immediately change their password after creation, consider setting the
"REQUIRES_PWCHANGE" flag at principal creation time by supplying the "+needchange"
option to kadmin addprinc.
If you believe that this technique needs to be publicized further, please file a separate
documentation bug.
More information about the krb5-bugs
mailing list