AS_REQ key expiration vs principal expiration checking order?
jhutz at cmu.edu
Wed Jun 24 17:15:12 EDT 2009
--On Wednesday, June 24, 2009 02:03:47 PM -0400 Tom Yu <tlyu at mit.edu> wrote:
> Existing code in src/kdc_util.c (trunk and krb5-1.7, also probably
> older releases), while validating the AS_REQ, checks for key
> expiration before checking for client principal expiration. There is
> a bug report that the principal expiration condition should be
> reported to the client in preference to the password expiration
> condition, rather than the reverse ordering, which is what the code
> currently does:
> Does anyone recall a reason why we might deliberately use the existing
> ordering for AS_REQ validation? RFC 4120 and RFC 1510 do not specify
> anything related to this behavior.
I can't think of one, and I can think of a good reason to check for client
principal expiration first. Particularly, KDC_ERR_KEY_EXPIRED carries the
implication that you can resolve the problem by changing the password, and
a pretty large class of clients (PAM modules and similar) will assume this
and prompt the user to change the password.
More information about the krbdev