Adding password-expiration LAST_REQ message.
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Mar 2 19:05:20 EST 2021
>On Tue, Mar 02, 2021 at 05:59:15PM -0500, Ken Hornstein wrote:
>> We have an old change to the MIT KDC that returns a password expiration
>> time in the last-req field of the ticket. It also includes a KDC
>> configuration entry to specify a time limit for sending the message
>> (like if the password expiration is occuring within a week). The
>> client support for this already exists in MIT Kerberos. Would this
>> change (cleaned up and documented) be welcome to be submitted?
>
>This would be a new "lr-type" value?
Not at all. An appropriate lr-type already exists in both the
RFC and the MIT source code. See §5.4.2 of RFC 4120, under
lr-type (6). And see the MIT source code for the preprocessor
value KRB5_LRQ_ALL_PW_EXPTIME (and the client side code in
lib/krb5/krb/gic_pwd.c). Like I said, the CLIENT code is already there;
the missing piece is on the KDC side.
--Ken
More information about the krbdev
mailing list