[29092] in Kerberos
Re: password expiry for a principal
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jan 18 02:23:42 2008
To: Russ Allbery <rra@stanford.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 18 Jan 2008 00:01:46 -0500
In-Reply-To: <87hchbn4rs.fsf@windlord.stanford.edu> (Russ Allbery's message of
"Thu, 17 Jan 2008 20:20:39 -0800")
Message-ID: <ldv1w8fohfp.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "Russ" == Russ Allbery <rra@stanford.edu> writes:
Russ> Coy Hile <coy.hile@coyhile.com> writes:
>> kadmin: modprinc +needchange cah220
>> Principal "cah220@COYHILE.COM" modified.
>> kadmin: quit
>> [22:53:31]supergrover:~ % kinit cah220
>> kinit(v5): Password has expired while getting initial credentials
>> [22:53:37]supergrover:~ %
>>
>> For what it's worth, I'm using an MIT kdc (actually SEAM).
Russ> I don't believe kinit supports prompting for password changes, but you can
Russ> still use kpasswd when the principal is marked +needchange. A good PAM
Russ> module should currently handle this case and prompt the user to change
Russ> their password.
A modern kinit program that uses the get_init_creds API will prompt
for a password change if the password has expired. I don't know if
the SEAM kinit is one of these, and you didn't mention which kinit
program you're using.
---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
