Adding password-expiration LAST_REQ message.
Benjamin Kaduk
kaduk at mit.edu
Tue Mar 2 19:13:34 EST 2021
On Tue, Mar 02, 2021 at 07:05:20PM -0500, Ken Hornstein wrote:
> >On Tue, Mar 02, 2021 at 05:59:15PM -0500, Ken Hornstein wrote:
> >> We have an old change to the MIT KDC that returns a password expiration
> >> time in the last-req field of the ticket. It also includes a KDC
> >> configuration entry to specify a time limit for sending the message
> >> (like if the password expiration is occuring within a week). The
> >> client support for this already exists in MIT Kerberos. Would this
> >> change (cleaned up and documented) be welcome to be submitted?
> >
> >This would be a new "lr-type" value?
>
> Not at all. An appropriate lr-type already exists in both the
> RFC and the MIT source code. See §5.4.2 of RFC 4120, under
> lr-type (6). And see the MIT source code for the preprocessor
> value KRB5_LRQ_ALL_PW_EXPTIME (and the client side code in
> lib/krb5/krb/gic_pwd.c). Like I said, the CLIENT code is already there;
> the missing piece is on the KDC side.
... apparently I flat-out missed the last two sentences of that paragraph.
Oops. Thanks for setting me straight.
-Ben
More information about the krbdev
mailing list