Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Subject: The current behavior of kadmind makes using minimum password lifetimes difficult RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 3477 [RT_System - Mon Aug 19 14:16:54 2002]: > From kenh@cmf.nrl.navy.mil Thu Apr 10 13:43:08 1997 > Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by > rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for 11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400 > Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP > id AA25519; Thu, 10 Apr 97 12:42:36 EST > Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil > [134.207.10.9]) > by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494 > for ; Thu, 10 Apr 1997 13:42:41 -0400 (EDT) > Received: (from kenh@localhost) > by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219; > Thu, 10 Apr 1997 13:42:53 -0400 (EDT) > Message-Id: <199704101742.NAA05219@nexus.cmf.nrl.navy.mil> > Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT) > From: Ken Hornstein > Reply-To: kenh@cmf.nrl.navy.mil > To: krb5-bugs@MIT.EDU > Subject: Don't update the last password change field for new users > X-Send-Pr-Version: 3.99 > > >Number: 415 > >Category: krb5-admin > >Synopsis: The current behavior of kadmind makes using minimum > password lifetimes difficult > >Confidential: no > >Severity: non-critical > >Priority: medium > >Responsible: bjaspan > >State: open > >Class: change-request > >Submitter-Id: unknown > >Arrival-Date: Thu Apr 10 13:44:01 EDT 1997 > >Last-Modified: > >Originator: Ken Hornstein > >Organization: > Navel Research Lab > > >Release: 1.0 > >Environment: > > System: SunOS nexus 4.1.4 3 sun4m > Architecture: sun4 > > >Description: > > The current way kadmind works makes it difficult to use minimum > password > lifetimes. > > When you create a user, the "last password change" field is updated so > it > has the time the account was created. This is problematic if you set > a > minimum password lifetime; if you want new users to change their > passwords > right away, you have to wait until the minimum password lifetime has > lapsed > until they can change their password, and that simply doesn't make > sense. > >How-To-Repeat: > > Create a user with a long minimum password lifetime, and tell them to > change > their passwords right away. > >Fix: > > This simple patch makes it so newly created accounts don't have a > password change time. > > --- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996 > +++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997 > @@ -212,13 +212,6 @@ > return(ret); > } > > - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, > now)) { > - krb5_dbe_free_contents(handle->context, &kdb); > - if (mask & KADM5_POLICY) > - (void) kadm5_free_policy_ent(handle->lhandle, &polent); > - return(ret); > - } > - > /* initialize the keys */ > > if (ret = krb5_dbe_cpw(handle->context, &master_encblock, > >Audit-Trail: > >Unformatted: The current behavior of principal creation setting the "last_pwd_change" to "now" is in accordance with the kadm5 API specification. If you want to require users with minimum password lifetimes to immediately change their password after creation, consider setting the "REQUIRES_PWCHANGE" flag at principal creation time by supplying the "+needchange" option to kadmin addprinc. If you believe that this technique needs to be publicized further, please file a separate documentation bug.