Skip Menu |

Download (untitled) / with headers
text/plain 2.9KiB
From Sun Nov 30 12:06:36 2003
Received: from (FORT-POINT-STATION.MIT.EDU []) by (8.9.3p2) with ESMTP
id MAA13739; Sun, 30 Nov 2003 12:06:36 -0500 (EST)
Received: from ( [])
by (8.12.4/8.9.2) with ESMTP id hAUH6ZoR022342
for <>; Sun, 30 Nov 2003 12:06:35 -0500 (EST)
Received: from eiger.localnet ( [])
by (Postfix) with ESMTP id 3569C1C0053F
for <>; Sun, 30 Nov 2003 17:06:34 +0000 (GMT)
Received: from makalu.localnet (makalu [])
by eiger.localnet (8.12.10/8.12.9) with ESMTP id hAUH0Ope020886
for <>; Sun, 30 Nov 2003 17:00:24 GMT
From: Mary Cushion <>
Subject: No advanced warning of password expiry (including fix)
Date: Sun, 30 Nov 2003 17:07:42 +0000
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <>

Show quoted text
>Submitter-Id: net
>Originator: Mary Cushion
>Confidential: no
>Synopsis: No advanced warning of password expiry
>Severity: non-critical
>Priority: low
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
System: Linux 2.6.0-test9
Architecture: i686
Show quoted text
When a Kerberos password is close to expiry, no warning messages are seen,
even though there is code in lib/krb5/krb/gic_pwd.c to do this.
Show quoted text
Set a short password expiry policy
Show quoted text
The problem seems to be the contents of the key_exp field included in
the KRB_AS_REP message sent to the client.

In kdc/do_as_req.c, this field is set to client.expiration, the client
principal expiration date, which is often far in the future or never.
However, this value is retrieved in lib/krb5/krb/gic_pwd.c and tested
against the current time to determine whether the the password is close
to expiry.

The following tiny patch to the KDC code makes password expiry warnings work,
and I cannot see anywhere else in the client code that needs the original
meaning ?

--- do_as_req.c.orig 2002-11-04 02:20:51.000000000 +0000
+++ do_as_req.c 2003-11-19 17:23:26.000000000 +0000
@@ -370,7 +370,7 @@
goto errout;
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client.pw_expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;

According to RFC1510, this field should more properly be the minimum of
both client and password expiration dates, but it may be more confusing to a
user to warn that "Your password or account will expire in 6 days", when
there's not much they can do about the account bit.
Subject: SVN Commit

In AS replies, set the key-expiration field to the minimum of account
and password expiration time as specified in RFC 4120. Reported by
Mary Cushion <>.
Commit By: ghudson
Revision: 24240
Changed Files:
U trunk/src/kdc/do_as_req.c