pkinit and passwords issues
Will Fiveash
William.Fiveash at sun.com
Fri Feb 12 17:34:20 EST 2010
On Thu, Feb 11, 2010 at 06:43:49PM -0500, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
>
> Will> I've noticed that if a princ's password has expired the KDC is
> Will> sending back a passwd expired error message even if PKINIT is
> Will> being attempted with a valid cert. This strikes me as buggy.
> Will> Why should the KDC check the validity of a princ's password if
> Will> the princ is attempting PKINIT preauth?
>
> Will> I believe the problem lies with this check in
> Will> validate_as_request():
>
>
> It seems like this falls into two categories:
>
> 1) The principal has a password that is sometimes used. In this case
> I'd think a lot of sites would actually find resetting the password
> valuable at this point.
> So, if there is a mechanism to bypass this check it should be optional.
Agreed.
> 2) There is no valid password. In which, the password should not be set
> to expire.
>
> The biggest question I have about how to fix this is how to decide in a
> generic manner whether you're using a preauthentication mechanism for
> which password expiration is important.
> do you have any thoughts on how to accomplish this?
Not at the moment but I'll think on it.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list