[29091] in Kerberos
Re: password expiry for a principal
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jan 17 23:21:32 2008
To: Coy Hile <coy.hile@coyhile.com>
In-Reply-To: <Pine.GSO.4.61.0801172250190.9003@supergrover.coyhile.com> (Coy
Hile's message of "Thu\, 17 Jan 2008 22\:54\:53 -0500 \(EST\)")
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 17 Jan 2008 20:20:39 -0800
Message-ID: <87hchbn4rs.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Coy Hile <coy.hile@coyhile.com> writes:
> Is there any good way to make sure that a user will be prompted to change
> his password the next time he authenticates as a given principal.
>
> My first attempt was via setting the needchange flag on a test principal,
> but then I am unable to authenticate as that princpal in the first place:
>
> kadmin: modprinc +needchange cah220
> Principal "cah220@COYHILE.COM" modified.
> kadmin: quit
> [22:53:31]supergrover:~ % kinit cah220
> kinit(v5): Password has expired while getting initial credentials
> [22:53:37]supergrover:~ %
>
> For what it's worth, I'm using an MIT kdc (actually SEAM).
I don't believe kinit supports prompting for password changes, but you can
still use kpasswd when the principal is marked +needchange. A good PAM
module should currently handle this case and prompt the user to change
their password.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
