Password expiration API project

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Aug 11 13:16:03 EDT 2010

I'm making a relatively simple change to password expiration behavior
to improve programmatic control over password expiry warnings.  Since
it involves an API change, I wrote up a project page for it:

and began a review ending this Friday.  I'll include the concrete
proposal below for ease of review.


A new get_init_creds option will be added as follows:

 typedef void
 krb5_expire_callback_func(krb5_context context, void *data,
                           krb5_timestamp password_expiration,
                           krb5_timestamp account_expiration,
                           krb5_boolean is_last_req);

 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_expire_callback(krb5_context context,
                                             krb5_get_init_creds_opt *opt,
                                             krb5_expiration_callback_func cb,
                                             void *data);

If this callback is provided, the prompter will not be invoked with
warning messages.  Instead, upon successful acquisition of
credentials, the callback will be invoked as follows:

* If last-req entries with tags 6, -6, 7, or -7 exist, those will be
  used for the password and account expiration timestamps (0 if one or
  the other is not specified), and is_last_req will be true.

* Otherwise, password_expiration will be the key-expiration value
  (which may be 0), account_expiration will be 0, and is_last_req will
  be false.

If a caller does not set the expiration callback, the prompter will be
invoked as before, but the banners will use consistent string formats
independent of whether the expiration time came from key-expiration or
last-req values.

More information about the krbdev mailing list