[Freeipa-users] Do expired passwords remain usable indefinitely?
Brian Candler
b.candler at pobox.com
Tue Oct 25 09:20:57 UTC 2016
Looking in MIT krb5 source:
$ grep -R ERR_NAME_EXP .
./src/include/k5-int.h:#define KDC_ERR_NAME_EXP 1 /*
Client's entry in DB expired */
./src/kdc/kdc_util.c: return(KDC_ERR_NAME_EXP);
./src/lib/krb5/error_tables/krb5_err.et:error_code
KRB5KDC_ERR_NAME_EXP, "Client's entry in database has expired"
There appears to be only one case where NAME_EXP is returned: when the
client.expiration field is passed (not client.pw_expiration)
The fields are defined in krb5_db_entry in src/include/kdb.h:
krb5_timestamp expiration; /* When the client
expires */
krb5_timestamp pw_expiration; /* When its passwd
expires */
I think "expiration" must equate to the "principal expiration" in IPA.
But only regular password expiry would give you the option of changing it.
Regards,
Brian.
=== from src/kdc/kdc_util. c ===
/* The client must not be expired */
if (client.expiration && client.expiration < kdc_time) {
*status = "CLIENT EXPIRED";
if (vague_errors)
return(KRB_ERR_GENERIC);
else
return(KDC_ERR_NAME_EXP);
}
/* The client's password must not be expired, unless the server is
a KRB5_KDC_PWCHANGE_SERVICE. */
if (client.pw_expiration && client.pw_expiration < kdc_time &&
!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
if (vague_errors)
return(KRB_ERR_GENERIC);
else
return(KDC_ERR_KEY_EXP);
}
More information about the Freeipa-users
mailing list