Adding password-expiration LAST_REQ message.

Ken Hornstein kenh at
Tue Mar 2 19:05:20 EST 2021

>On Tue, Mar 02, 2021 at 05:59:15PM -0500, Ken Hornstein wrote:
>> We have an old change to the MIT KDC that returns a password expiration
>> time in the last-req field of the ticket.  It also includes a KDC
>> configuration entry to specify a time limit for sending the message
>> (like if the password expiration is occuring within a week).  The
>> client support for this already exists in MIT Kerberos.  Would this
>> change (cleaned up and documented) be welcome to be submitted?
>This would be a new "lr-type" value?

Not at all.  An appropriate lr-type already exists in both the
RFC and the MIT source code.  See §5.4.2 of RFC 4120, under
lr-type (6).  And see the MIT source code for the preprocessor
value KRB5_LRQ_ALL_PW_EXPTIME (and the client side code in
lib/krb5/krb/gic_pwd.c).  Like I said, the CLIENT code is already there;
the missing piece is on the KDC side.


More information about the krbdev mailing list