pkinit and passwords issues

Will Fiveash William.Fiveash at
Fri Feb 12 17:34:20 EST 2010

On Thu, Feb 11, 2010 at 06:43:49PM -0500, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <William.Fiveash at> writes:
>     Will> I've noticed that if a princ's password has expired the KDC is
>     Will> sending back a passwd expired error message even if PKINIT is
>     Will> being attempted with a valid cert.  This strikes me as buggy.
>     Will> Why should the KDC check the validity of a princ's password if
>     Will> the princ is attempting PKINIT preauth?
>     Will> I believe the problem lies with this check in
>     Will> validate_as_request():
> It seems like this falls into two categories:
> 1) The principal has a password that is sometimes used.  In this case
> I'd think a lot of sites would actually find resetting the password
> valuable at this point.
> So, if there is a mechanism to bypass this check it should be optional.


> 2) There is no valid password.  In which, the password should not be set
> to expire.
> The biggest question I have about how to fix this is how to decide in a
> generic manner whether you're using a preauthentication mechanism for
> which password expiration is important.
> do you have any thoughts on how to accomplish this?

Not at the moment but I'll think on it.

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list