[29149] in Kerberos
Re: password expiry for a principal
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Sat Jan 26 21:03:53 2008
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
Message-ID: <479BE6BB.2010702@secure-endpoints.com>
Date: Sat, 26 Jan 2008 21:04:43 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: huaraz@moeller.plus.com
In-Reply-To: <fngmjb$8gn$1@ger.gmane.org>
Cc: kerberos@mit.edu
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============1980386239=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1980386239==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms080701090603080008030009"
This is a cryptographically signed message in MIME format.
--------------ms080701090603080008030009
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Why would Solaris compile with that flag? Solaris doesn't use the login
library. The login library is a MacOS X specific feature.
In the current MIT sources, disabling prompting for a password
change is a run time option. If the caller wants prompting to be
disabled they should be using the
krb5_get_init_creds_opt_set_change_password_prompt(opt, prompt)
function to disable it. This permits callers such as PAM that would
know how to handle prompting better on their own to do so while
permitting the Kerberos library to prompt in the default case.
Jeffrey Altman
Markus Moeller wrote:
> I checked the sources and Solaris compiles MIT Kerberos with
> USE_LOGIN_LIBRARY and in gic_pwd.c it means it goes to cleanup without
> password change attempt.
>
> #ifdef USE_LOGIN_LIBRARY
> if (ret == KRB5KDC_ERR_KEY_EXP)
> goto cleanup; /* Login library will deal appropriately
> with this error */
> #endif
>
> I think this would mean pam_krb5 needs to remember the state in
> pam_authenticate (which need to return PAM_SUCCESS) and use it in
> pam_acct_mgmt which will then prompt. So I guess an option like
> login_library_used for pam_krb5 on Solaris is needed.
>
> Markus
>
>
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
> news:fn02tb$279$1@ger.gmane.org...
>> I see now the same message. I have to check again why my initial test
>> looked
>> OK.
>>
>> Markus
>>
>>
>> "Coy Hile" <coy.hile@coyhile.com> wrote in message
>> news:Pine.GSO.4.61.0801201153360.10312@supergrover.coyhile.com...
>>> On Sat, 19 Jan 2008, Russ Allbery wrote:
>>>
>>>
>>> I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
>>> principal whose password has expired, I see the following in the debug
>>> log:
>>>
>>> |Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> attempting authentication as cah220@COYHILE.COM
>>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> krb5_get_init_creds_password: Password has expired
>>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> <unknown>: exit (failure)
>>>
>>> For what it's worth, I've got the following in my pam.conf on this box:
>>>
>>> # grep sshd-kbdint pam.conf
>>> sshd-kbdint auth requisite pam_authtok_get.so.1
>>> sshd-kbdint auth required pam_dhkeys.so.1
>>> sshd-kbdint auth required /tmp/pam_krb5.so.1 debug
>>> sshd-kbdint auth optional pam_unix_auth.so.1
>>> sshd-kbdint session required /tmp/pam_krb5.so.1 debug
>>> #
>>>
>>> Am I running into SEAM just not supporting "hey bozo, you're password is
>>> expired, change it now", or did I hork the configuration somehow.
>>>
>>> If you want, I can also provide the sshd_config.
>>>
>>> I appreciate any help you can give with this; I'm still a bit of a
>>> novice when it comes to doing anything cute. Along the same lines, is
>>> there any way to bounce back something like "Your password is going to
>>> expire in n days" during the authentication process? (say only if n <
>>> 10). Actually strike that. Is there some easy way to write an app
>>> that you'd run from /etc/profile to banner that sort of information? If
>>> I were using normal UNIX auth, I could do that relatively easily using
>>> the information in the shadow file.
>>>
>>> --
>>> Coy Hile
>>> coy.hile@coyhile.com
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--------------ms080701090603080008030009
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEALr5BE3U6n+HWCoLbyhohMwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDUzMTA2MTM1N1oX
DTA4MDUzMDA2MTM1N1owczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCsoz/0+s4Cn65n/3bU3shXw4y5u1uEMEsBOiqNU0PfIKGYQe95b1FKNbNAkctSdQT6GF5c
bhSnJPmb2OOb1frx64dlDgskaG561xa8XPA1aP8Cc+33dgsSLIxGEh97lyUYHEfWBC03KMCF
PKhZfcrGAXoVCrFBadnLAokQbUTFahVg/qQx2IT3wSj1sCIfV5UDuXcEKHCvRtEZIsSzu184
9Cj6I4nY5bt+r94kyDHM94MHYBJi+6tWLFRy2gkIB3HEPmxAiQrKljNpH9bOffiBLIAgmJ6d
1ZXepBXyexQbwOYvftpVlMEFHHQmdiwH3tj69hE78XvM5X9J+SbjbuNpAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQB8FShDN2Ig034Y5eyadiFDEtOvsIJ3Z2xV9aTL4u8xMlz1gZR1
AZAvCv+ZMMRRKWCsrG5tItV8DFPSfWAGMpInmMarA4f76JRLQEUhkRUg8GpkJM5ryk5EDakk
0oiBQcQD8A+UHwrcmaj3UWxQ9zCjDgU+1mY9nEQxZZyp4eeUfzCCAxcwggKAoAMCAQICEALr
5BE3U6n+HWCoLbyhohMwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDUzMTA2MTM1N1oXDTA4MDUzMDA2MTM1N1ow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoz/0+s4Cn65n/3bU
3shXw4y5u1uEMEsBOiqNU0PfIKGYQe95b1FKNbNAkctSdQT6GF5cbhSnJPmb2OOb1frx64dl
DgskaG561xa8XPA1aP8Cc+33dgsSLIxGEh97lyUYHEfWBC03KMCFPKhZfcrGAXoVCrFBadnL
AokQbUTFahVg/qQx2IT3wSj1sCIfV5UDuXcEKHCvRtEZIsSzu1849Cj6I4nY5bt+r94kyDHM
94MHYBJi+6tWLFRy2gkIB3HEPmxAiQrKljNpH9bOffiBLIAgmJ6d1ZXepBXyexQbwOYvftpV
lMEFHHQmdiwH3tj69hE78XvM5X9J+SbjbuNpAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQB8FShDN2Ig034Y5eyadiFDEtOvsIJ3Z2xV9aTL4u8xMlz1gZR1AZAvCv+ZMMRRKWCsrG5t
ItV8DFPSfWAGMpInmMarA4f76JRLQEUhkRUg8GpkJM5ryk5EDakk0oiBQcQD8A+UHwrcmaj3
UWxQ9zCjDgU+1mY9nEQxZZyp4eeUfzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIID
YAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AuvkETdTqf4dYKgtvKGiEzAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wODAxMjcwMjA0NDNaMCMGCSqGSIb3DQEJBDEWBBRC/X+H
LoNdzJpZQV+ksDlUl+p1rDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYB
BAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECEALr5BE3U6n+HWCoLbyhohMwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEALr5BE3U6n+HWCoLbyhohMwDQYJ
KoZIhvcNAQEBBQAEggEAYzzKPQuzgg+WqTqBvH6nYJwKAac6I64anlLj0XGWNcuFp++932Au
eQFxVTuSxqVgfTDfGf85iqBudCb+D1qXRM2qNTdFZy134s6e095ks4eCYVk83GWRD4TsDsH1
ldzazFkGipB/f7oC7PLkyseugdldw0IkcLAP6sGLqhv/dJj2ed2MK4NTONOq3hWFKU35OwX5
7zyB8PQG5DDgGhPhTAskU5VBxRnhVqutkwNL0Yp1laGXF5+PylnZu4ARq2bfvrUh736CQl9i
a4MrDQdcdxM70OnlUR24MsReNMZ/by2wvnRnBrSPzqL4EREGkkCmx7ySzBRgA+iXckube3M8
hQAAAAAAAA==
--------------ms080701090603080008030009--
--===============1980386239==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1980386239==--
