Skip Menu |
 

Date: Fri, 20 Aug 2004 15:42:45 -0700
From: "Paul Moore" <paul.moore@centrify.com>
To: <krb5-bugs@mit.edu>
Subject: feature proposal - programmatic retrieval of password expiry
Today get_init_creds_password will tell the user if their password will
expire but only via hard-coded messages sent via the prompter. It is
useful for applications that dont the prompting themselves to retrieve
the password expiry time so that they can deal with it in an app
specifiy way (configurable warning window, offer the user tthe choice to
change now, ...)

To this end we have added a secondary entry point to gig_pwd.c;
get_init_creds_password_expiry that takes an int* that gets populated
with the expiry time.

Is this a useful feature. Would you like the diffs?

An alternaitive approach is to fake up a prompter and parse the ascii
text. There is one major problem with this - the expiry warnings are not
generated until 7 days before expiry (in 1.3.4), so we cannot see this
data before that (to warn 10 days in advance for example). Also parsing
text that may or may not get sent is pretty klunky
To: rt@krbdev.mit.edu
Cc: krb5-prs@MIT.EDU
Subject: Re: [krbdev.mit.edu #2676] feature proposal - programmatic retrieval of password expiry
From: Sam Hartman <hartmans@mit.edu>
Date: Sat, 21 Aug 2004 03:40:30 -0400
RT-Send-Cc:
Show quoted text
>>>>> """ == " Paul Moore " via RT <rt-comment@krbdev.mit.edu> writes:

"> Is this a useful feature. Would you like the diffs?


It sounds like a useful feature, but unfortunately not a useful API.
The problem is that things tend to get too cluttered if we keep adding
APIs like this to add one new argument. krb5_mk_req_* is an example
of this gone badly.

The strategy we'd like to adopt is to add an extension mechanism to an
API whenever we find that the API is inadequate. We've had some
internal discussions of how to do this for the gic API, but none have
been particularly satisfactory.
Subject: RE: [krbdev.mit.edu #2676] feature proposal - programmatic retrieval of password expiry
Date: Mon, 23 Aug 2004 09:38:45 -0700
From: "Paul Moore" <paul.moore@centrify.com>
To: <rt-comment@krbdev.mit.edu>
Cc: <krb5-prs@mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5KiB

How about this:-

get_init_creds_password_ex
With one additional parameter that is a pointer to a
Struct gic_pw_ex_block
{
int version; // = 1
int expiry_time;
}
This can then become the general extension style for an API: - define a struct to be passed in and create an ex version of the API. The ex block can both be read and written by the function. The version stamp reduces issues with old client code with newer API library

Its not very fancy but
A) it works
B) its systematic
C) it preserved the existing API
D) once an extended version of an API is defined no further mods the the API signtaure itself is needed
E) it is somewhat version safe (if a little naïve)



Show quoted text
-----Original Message-----
From: 0000-Admin [mailto:daemon@MIT.EDU] On Behalf Of Sam Hartman via RT
Sent: Saturday, August 21, 2004 12:40 AM
To: Paul Moore
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2676] feature proposal - programmatic retrieval of password expiry

>>>>> """ == " Paul Moore " via RT <rt-comment@krbdev.mit.edu> writes:

"> Is this a useful feature. Would you like the diffs?


It sounds like a useful feature, but unfortunately not a useful API.
The problem is that things tend to get too cluttered if we keep adding APIs like this to add one new argument. krb5_mk_req_* is an example of this gone badly.

The strategy we'd like to adopt is to add an extension mechanism to an API whenever we find that the API is inadequate. We've had some internal discussions of how to do this for the gic API, but none have been particularly satisfactory.