Adding password-expiration LAST_REQ message.

Greg Hudson ghudson at
Tue Mar 9 02:19:52 EST 2021

On 3/2/21 5:59 PM, Ken Hornstein wrote:
> We have an old change to the MIT KDC that returns a password expiration
> time in the last-req field of the ticket.  It also includes a KDC
> configuration entry to specify a time limit for sending the message
> (like if the password expiration is occuring within a week).  The
> client support for this already exists in MIT Kerberos.  Would this
> change (cleaned up and documented) be welcome to be submitted?

The MIT KDC currently sets the key-expiration field to the minimum of
account expiration time and password expiration time (if either is set).
 This works okay to the extent that realms don't use account expiration
times.  When account expiration times are used, the client can display
password expiration warnings when it is actually the account that is set
to expire.

The Heimdal KDC always sends last-req information in AS-REPs when there
are password or account expiration times to report.  I think we can do
the same; we shouldn't need a new KDC config variable.

More information about the krbdev mailing list