Hello list, I am not quite new to Kerberos but never had to do much more than create and delete principals so I am not very experienced administrating Kerberos. Thus my question. I am using Ubuntu 10.04 Server, krb5-kdc and krb5-admin-server in version 1.8.1 (1.8.1+dfsg-2ubuntu0.3 to be exact).
Is it possible to create a new principal that requires its user to change the password and expires after a certain time if the user does not log in to change it? I would have thought that the following command does what I want: kadmin.local -q "addprinc +needchange +requires_preauth \ -pwexpire '15 minutes' -pw secret foobar" If I understand correctly this adds a new principal foobar with password "secret" that should expire in 15 minutes and needs to change the password on the next kinit call. The "requires_preauth" seems to be set by the default policy and needs to be there, otherwise the principal cannot be authenticated. Unfortunately the user can still log in (and is prompted to change his password by the system) even after the temporary password is past its expiration date. Why so? Does "+needchange" take precedence over any password expiration date? I want to do this because we create principals by Python scripts and send users the credentials by unencrypted email, including a temporary password. This password must be changed by the user and we don't want the temporary password to be valid forever if a user is too lazy to log in and change it in time. If it were anyone who manages to get hold of the email message containing the credentials could use the account. Minimising that risk is just good security policy although in reality that particular scenario is not very likely to really occur. Thanks in advance! Andreas -- Andreas Ntaflos Vienna, Austria GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
signature.asc
Description: This is a digitally signed message part.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
