On Wednesday, January 18, 2006 06:37:44 AM -0800 [EMAIL PROTECTED] wrote:
> In a nutshell, I need to take a username and an expired password and > see if that truely was the users' last pasword. You haven't said what Kerberos server you're using, so I'll assume you're using either the MIT or Heimdal servers. If the server in question is a Microsoft server, then parts of what I'm about to say my be significantly different... Most servers keep separate "last password change" and "last modified" timestamps for each principal. The former refers specifically to the principal changing its own password (not having it changed by an admin). If you want this information to be correct for auditing purposes, then you want to submit a password change request on the user's behalf, rather than verifying the old password and making a change on your own authority. Conveniently, this approach is also generally easier -- you just collect the username, old password, and new password, and then attempt a password change just as if you were the user. If the old password they gave was invalid, then the request will fail. If for some reason you feel you need to validate the password yourself, then you will want to do it correctly. That means not just getting a ticket, but getting a ticket for a service whose secret key you know, so that you can verify that the ticket is legitimate. Without this step, an attacker can give you any random string as the "old password", and then forge the response you get from the Kerberos server to make you think the password is valid. Offhand, I don't know of a way to do this from Perl; maybe someone else here knows of a stable set of perl modules providing access to the Kerberos API. > Once I'm able to > validate the users' expired information, I already have a system in > place that will change their password through a web-based form... It's > just the authentication with expired credentials that's killing. This is likely because the KDC will not issue tickets to a principal with an expired password -- doing so would sort of defeat the purpose of having the password expire in the first place. Once a password is expired, the KDC will only issue initial tickets for services which are flagged as password-changing services. -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos