AS_REQ key expiration vs principal expiration checking order?

Jeffrey Hutzelman jhutz at
Wed Jun 24 17:15:12 EDT 2009

--On Wednesday, June 24, 2009 02:03:47 PM -0400 Tom Yu <tlyu at> wrote:

> Existing code in src/kdc_util.c (trunk and krb5-1.7, also probably
> older releases), while validating the AS_REQ, checks for key
> expiration before checking for client principal expiration.  There is
> a bug report that the principal expiration condition should be
> reported to the client in preference to the password expiration
> condition, rather than the reverse ordering, which is what the code
> currently does:
> Does anyone recall a reason why we might deliberately use the existing
> ordering for AS_REQ validation?  RFC 4120 and RFC 1510 do not specify
> anything related to this behavior.

I can't think of one, and I can think of a good reason to check for client 
principal expiration first.  Particularly, KDC_ERR_KEY_EXPIRED carries the 
implication that you can resolve the problem by changing the password, and 
a pretty large class of clients (PAM modules and similar) will assume this 
and prompt the user to change the password.

-- Jeff

More information about the krbdev mailing list