Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Jeffrey Altman jaltman at
Wed Nov 15 06:56:33 EST 2006

krb5_get_init_creds_password() prompts the user to change her password
whenever krb5_get_init_creds() returns KRB5KDC_ERR_KEY_EXP if a prompter
function has been provided (on all platforms other than KFM.)  KFM
compiles out this functionality because the Login Library has its own
password change dialog and it is expected that
krb5_get_init_creds_password() will never be called directly by an

When krb5_get_init_creds_password() is called from a credential manager
such as Leash or Network Identity Manager (KFW) there is an equivalent
need to disable the password change prompting.  The ticket manager has
its own change password dialogs which provide a better user experience
than can be provided by the use of the prompter interface.

Disabling the password change prompting entirely in KFW is inappropriate
because there are third party applications that may count on its
existing behavior.  Instead, I propose adding a new
krb5_get_init_creds_opt value which controls whether or not prompting
should be performed.  If the option is not set, then the default is to
prompt for password change.  If the option is set, the value set by the
caller is used.

A call to krb5_get_init_creds_opt_set_change_password_prompt(opt, 0)
would allow a credential manager to disable change password prompting
for the subsequent call to krb5_get_init_creds_password.

I propose this change be accepted for krb5 1.6.

A patch implementing this change against the trunk is attached.

Please comment.

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5-gic-chng-pwd-prmpt-diff-1.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list