[20259] in Kerberos_V5_Development
Re: Adding password-expiration LAST_REQ message.
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Mar 2 19:05:37 2021
Message-ID: <202103030004.12303xgX030756@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Benjamin Kaduk <kaduk@mit.edu>
In-Reply-To: <20210302233440.GI21@kduck.mit.edu>
MIME-Version: 1.0
Date: Tue, 02 Mar 2021 19:05:20 -0500
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>On Tue, Mar 02, 2021 at 05:59:15PM -0500, Ken Hornstein wrote:
>> We have an old change to the MIT KDC that returns a password expiration
>> time in the last-req field of the ticket. It also includes a KDC
>> configuration entry to specify a time limit for sending the message
>> (like if the password expiration is occuring within a week). The
>> client support for this already exists in MIT Kerberos. Would this
>> change (cleaned up and documented) be welcome to be submitted?
>
>This would be a new "lr-type" value?
Not at all. An appropriate lr-type already exists in both the
RFC and the MIT source code. See ยง5.4.2 of RFC 4120, under
lr-type (6). And see the MIT source code for the preprocessor
value KRB5_LRQ_ALL_PW_EXPTIME (and the client side code in
lib/krb5/krb/gic_pwd.c). Like I said, the CLIENT code is already there;
the missing piece is on the KDC side.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
