Is anyone actually using the password expiration features of Kerberos?
I've been trying to make sure it works properly with the pam_krb5-1.0.3
package, but I've run into so many problems I'm wondering about the
feasibility of doing so:
- I can only apparently get the pw_expiration info when running
krb5_get_init_creds_password or krb5_get_init_creds, not with
another library function
- requirement to patch both the krb5 libraries and the KDC to
get it to actually work
- buggy pam_krb5-1.0.3 module: I just recently sent in a patch
that fixed a simple pointer bug in the module causing
segfaults whenever the libraries returned any messages
(e.g., "Your password will expire...", "Your password has expired")
- buggy PAM programs:
o the PAM patch for XDM causes a segfault when the
(struct pam_message **) msg argument contains more than
one message due to incorrect pointer dereference (derefs
msg[count]->msg instead of msg[0][count].msg). I fixed
that, but I'm getting another segfault elsewhere
o If the pamified program ignores or improperly implements
the pam conversation function once the password has expired,
the user gets logged in, the the password expiration time is
cleared (!!) from the KDC. I've seen this with sshd & kdm.
o dtlogin does inform me that my password has expired, and that
I need to change it now, but offers me no way to do so.
So, has anyone actually implemented password expiration in a decent fashion
for the important login facilities for their network, i.e., xdm, dtlogin,
sshd, su, xlock, etc ? My options appear to be:
- use or hack in native Kerberos support in my apps that does the
right thing
- run a script periodically that does a getprinc for all my principals
and sends them mail when their password is going to expire within a
certain period of time
- keep going down the PAM path and fix things as I find them (Anyone
interested in helping?)
Thoughts?
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| [EMAIL PROTECTED] http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
"Given a choice between a complex, difficult-to-understand, disconcerting
explanation and a simplistic, comforting one, many prefer simplistic
comfort if it's remotely plausible, especially if it involves blaming
someone else for their problems."
-- Bob Lewis, _Infoworld_
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
