On Fri, 7 Mar 2003 11:26:13 -0600 "Jacques A. Vidrine" <[EMAIL PROTECTED]> wrote:
> On Fri, Mar 07, 2003 at 11:31:34AM -0500, James F.Hranicky wrote: > > Is anyone actually using the password expiration features of > > Kerberos? > > For what it's worth, the password expiration features worked > previously with login, sshd, pam_krb5 and Heimdal on FreeBSD and > Linux. I've got to get Kerberos working in some reasonable fashion on Linux, FreeBSD, IRIX, and Solaris :-( . > I'd be careful here. The Linux-PAM and Solaris PAM implementations > interpret that pointer differently. I know it was correct for > Linux-PAM, and I thought that Nico had checked it out for Solaris as > well. I'd be greatful if anyone using Solaris would verify that the two patches I've sent in for pam_krb5-1.0.3 (the security fix and the pointer bug) were useful, necessary, and sufficient. > However, if you have time and energy, people will learn to love you > for fixing their PAM problems :) I'm willing to work on it more, but I'd really like some help. XDM clearly needs more work to enable password expiration, and I'm not even sure that it's really feasible to have XDM - alert users when the password is going to expire soon (though it could be done with a system("xprompt message") or something icky like that) - notify the user the password has expired, and prompt the user twice more for the new password sshd currently is having problems with password expiry due to the new privsep code, at least as far as I can tell from the openssh list. Right now, in readpassphrase(), the function does a non-blocking read to get the passphrase, which simply returns 0 giving two empty responses, causing chauthtok (?) to fail. This is after fixing a bug that prevents pamstate in do_pam_conversation (auth-pam.c) from ever being anything other than INITIAL_LOGIN. What's funny is that if you run in debug mode, you can enter in the new password from the terminal you're running sshd from...nifty, but impractical :-> I don't know what's up with kdm...eeesh. Basically, it's a huge job dealing with hundereds of lines of C I haven't written or fully understand as yet. It's a bit too daunting to do by myself at work, and I really don't have much spare time for it (wife and 4 kids :->) Who's interested in getting it all working? <rant> Basically, Kerberos is a great idea all in all, but the current implementation leaves so many I's undotted and T's uncrossed, like, say, the above. Of course, the above is a huge band-aid on the fact that there are so few Kerberized clients that sysadmins are left with not even bothering to try to implement "proper Kerberos" . Without password expiration, Kerberos becomes little more to me than a way to avoid having encrypted passwords in a password map: useful, but less than it could be. So, whoever's interested, work with me on fixing the above, lending real password expiration support to however many login programs we can, then we can move on to Kerberizing or GSSAPI-izing mozilla and Apache :-> Then, we could work toward making Kerberized applications each do the equivalent of a kinit, getting a ticket that can be used by other apps without needing people to run kinit as a standalone program at all! Just ssh in, type your password, and voila, your TGT is now on your local machine! Right? Now your browser can use it to access your Kerberized web server! </rant> Of course, it's entirely possible I only know just enough to be dangerous, or more likely, annoying. Apologies for that. It just seems that Kerberos, if done "properly" (so Mom doesn't have to know about it) goes a long way toward making security more convenient, which is a good (?) thing. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | [EMAIL PROTECTED] http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos