pkinit and passwords issues

Sam Hartman hartmans at MIT.EDU
Thu Feb 11 18:43:49 EST 2010

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> I've noticed that if a princ's password has expired the KDC is
    Will> sending back a passwd expired error message even if PKINIT is
    Will> being attempted with a valid cert.  This strikes me as buggy.
    Will> Why should the KDC check the validity of a princ's password if
    Will> the princ is attempting PKINIT preauth?

    Will> I believe the problem lies with this check in
    Will> validate_as_request():

It seems like this falls into two categories:

1) The principal has a password that is sometimes used.  In this case
I'd think a lot of sites would actually find resetting the password
valuable at this point.
So, if there is a mechanism to bypass this check it should be optional.

2) There is no valid password.  In which, the password should not be set
to expire.

The biggest question I have about how to fix this is how to decide in a
generic manner whether you're using a preauthentication mechanism for
which password expiration is important.
do you have any thoughts on how to accomplish this?

More information about the krbdev mailing list