pkinit and passwords issues
Sam Hartman
hartmans at MIT.EDU
Thu Feb 11 18:43:49 EST 2010
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> I've noticed that if a princ's password has expired the KDC is
Will> sending back a passwd expired error message even if PKINIT is
Will> being attempted with a valid cert. This strikes me as buggy.
Will> Why should the KDC check the validity of a princ's password if
Will> the princ is attempting PKINIT preauth?
Will> I believe the problem lies with this check in
Will> validate_as_request():
It seems like this falls into two categories:
1) The principal has a password that is sometimes used. In this case
I'd think a lot of sites would actually find resetting the password
valuable at this point.
So, if there is a mechanism to bypass this check it should be optional.
2) There is no valid password. In which, the password should not be set
to expire.
The biggest question I have about how to fix this is how to decide in a
generic manner whether you're using a preauthentication mechanism for
which password expiration is important.
do you have any thoughts on how to accomplish this?
More information about the krbdev
mailing list