Proposal: Improved support for password/principal expiration notification

James F.Hranicky jfh at cise.ufl.edu
Sat May 3 11:21:06 EDT 2003 

Recently, I started a thread on the Kerberos list about improving support for 
password and principal expiration notification. Currently, the key_exp field
in _krb5_enc_kdc_rep_part is used to indicate principal expiration. If an
admin want that to indicate password expiration, the KDC code needs to be 
changed and recompiled. However, if an admin wants to notify users of *both*
principal and password expiration, it's unclear what should be done.

In the 1.3 client code, Ken Hornstein has begun to add support for using 
the last_req fields to indicate password expiration to the user using one of
the types KRB5_LRQ_ALL_PW_EXPTIME (6)or KRB5_LRQ_ONE_PW_EXPTIME (-6). He's 
also indicated that type 7 (and I assume -7) could be used to indicate 
principal expiration. 

My proposal is as follows. I'll code up the following and submit a patch
if anyone is interested:

	- add support to the KDC for using these fields to indicate both
	  impending principal expiration and impending password expiration

	- add support to krb5_gicp() to indicate principal expiration to
	  the user, building on what is already in the 1.3 client code. If
	  both principal expiration and password expiration are indicated
	  within a certain amount of time, both messages would be added to
	  the banner
	
	- Allow for sysadmin customization of the banner, probably along
	  the lines of allowing the admin to add the contents of a file
	  to what is being output to the banner already. Something like
	  this:

	  [libdefaults]   
   		gic_princ_exp_msg = /usr/local/etc/krb5/princ_exp_msg
		gic_pass_exp_msg  = /usr/local/etc/krb5/pass_exp_msg

	  Contents of /usr/local/etc/krb5/princ_exp_msg :

		Information on renewing accounts can be found at
		http://www.my.domain.com/accounts/renewals .

	  Contents of /usr/local/etc/krb5/pass_exp_msg :
	
		Information on changing your password can be found at
		http://www.my.domain.com/accounts/passchange .

	- remove the code that checks key_exp, as it is unclear what key_exp
	  is indicating

	- whatever else needs to be done :->

Questions, comments, criticism welcome. Thanks,

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

More information about the krbdev mailing list