[krbdev.mit.edu #6682] krb5_get_init_creds_password() is inconsistent about when it warns about impending expiration
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Mar 17 16:40:22 EDT 2010
Per the log message for r14936, this is intentional behavior:
---
Note that the intent is that the last-req type will only be included by
the KDC when the time until password expiration reaches some threshold
(e.g, one week), so this code will display the password expiration
anytime the last-req type is included.
---
(A classic case of "code documentation belongs in comments, not commit
logs.")
Now, I don't know if that statement reflects reality. Allowing the KDC
to control when expiration notification happens seems well and fine, but
RFC 4120 doesn't appear to say that last-req expiration times should be
used that way.
More information about the krb5-bugs
mailing list