Adding password-expiration LAST_REQ message.

Benjamin Kaduk kaduk at
Tue Mar 2 19:13:34 EST 2021

On Tue, Mar 02, 2021 at 07:05:20PM -0500, Ken Hornstein wrote:
> >On Tue, Mar 02, 2021 at 05:59:15PM -0500, Ken Hornstein wrote:
> >> We have an old change to the MIT KDC that returns a password expiration
> >> time in the last-req field of the ticket.  It also includes a KDC
> >> configuration entry to specify a time limit for sending the message
> >> (like if the password expiration is occuring within a week).  The
> >> client support for this already exists in MIT Kerberos.  Would this
> >> change (cleaned up and documented) be welcome to be submitted?
> >
> >This would be a new "lr-type" value?
> Not at all.  An appropriate lr-type already exists in both the
> RFC and the MIT source code.  See §5.4.2 of RFC 4120, under
> lr-type (6).  And see the MIT source code for the preprocessor
> value KRB5_LRQ_ALL_PW_EXPTIME (and the client side code in
> lib/krb5/krb/gic_pwd.c).  Like I said, the CLIENT code is already there;
> the missing piece is on the KDC side.

... apparently I flat-out missed the last two sentences of that paragraph.
Oops.  Thanks for setting me straight.


More information about the krbdev mailing list