Skip Menu |
 

Download (untitled) / with headers
text/plain 2.6KiB
From kenh@cmf.nrl.navy.mil Thu Apr 10 13:43:08 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for <bugs@RT-11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400
Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
id AA25519; Thu, 10 Apr 97 12:42:36 EST
Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil [134.207.10.9])
by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494
for <krb5-bugs@mit.edu>; Thu, 10 Apr 1997 13:42:41 -0400 (EDT)
Received: (from kenh@localhost)
by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219;
Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
Message-Id: <199704101742.NAA05219@nexus.cmf.nrl.navy.mil>
Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: Don't update the last password change field for new users
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 415
>Category: krb5-admin
>Synopsis: The current behavior of kadmind makes using minimum password lifetimes difficult
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Lab

Show quoted text
>Release: 1.0
>Environment:

System: SunOS nexus 4.1.4 3 sun4m
Architecture: sun4

Show quoted text
>Description:

The current way kadmind works makes it difficult to use minimum password
lifetimes.

When you create a user, the "last password change" field is updated so it
has the time the account was created. This is problematic if you set a
minimum password lifetime; if you want new users to change their passwords
right away, you have to wait until the minimum password lifetime has lapsed
until they can change their password, and that simply doesn't make sense.
Show quoted text
>How-To-Repeat:

Create a user with a long minimum password lifetime, and tell them to change
their passwords right away.
Show quoted text
>Fix:

This simple patch makes it so newly created accounts don't have a
password change time.

--- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
+++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
@@ -212,13 +212,6 @@
return(ret);
}

- if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) {
- krb5_dbe_free_contents(handle->context, &kdb);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
-
/* initialize the keys */

if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
Show quoted text
>Audit-Trail:
>Unformatted:
Subject: The current behavior of kadmind makes using minimum password lifetimes difficult
Download (untitled) / with headers
text/plain 3.3KiB
[RT_System - Mon Aug 19 14:16:54 2002]:

Show quoted text
> From kenh@cmf.nrl.navy.mil Thu Apr 10 13:43:08 1997
> Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by
> rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA29014 for <bugs@RT-
> 11.MIT.EDU>; Thu, 10 Apr 1997 13:43:03 -0400
> Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
> id AA25519; Thu, 10 Apr 97 12:42:36 EST
> Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil
> [134.207.10.9])
> by ginger.cmf.nrl.navy.mil (8.8.5/8.8.5) with ESMTP id NAA12494
> for <krb5-bugs@mit.edu>; Thu, 10 Apr 1997 13:42:41 -0400 (EDT)
> Received: (from kenh@localhost)
> by nexus.cmf.nrl.navy.mil (8.8.5/8.8.5) id NAA05219;
> Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
> Message-Id: <199704101742.NAA05219@nexus.cmf.nrl.navy.mil>
> Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
> From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> Reply-To: kenh@cmf.nrl.navy.mil
> To: krb5-bugs@MIT.EDU
> Subject: Don't update the last password change field for new users
> X-Send-Pr-Version: 3.99
>
> >Number: 415
> >Category: krb5-admin
> >Synopsis: The current behavior of kadmind makes using minimum
> password lifetimes difficult
> >Confidential: no
> >Severity: non-critical
> >Priority: medium
> >Responsible: bjaspan
> >State: open
> >Class: change-request
> >Submitter-Id: unknown
> >Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
> >Last-Modified:
> >Originator: Ken Hornstein
> >Organization:
> Navel Research Lab
>
> >Release: 1.0
> >Environment:
>
> System: SunOS nexus 4.1.4 3 sun4m
> Architecture: sun4
>
> >Description:
>
> The current way kadmind works makes it difficult to use minimum
> password
> lifetimes.
>
> When you create a user, the "last password change" field is updated so
> it
> has the time the account was created. This is problematic if you set
> a
> minimum password lifetime; if you want new users to change their
> passwords
> right away, you have to wait until the minimum password lifetime has
> lapsed
> until they can change their password, and that simply doesn't make
> sense.
> >How-To-Repeat:
>
> Create a user with a long minimum password lifetime, and tell them to
> change
> their passwords right away.
> >Fix:
>
> This simple patch makes it so newly created accounts don't have a
> password change time.
>
> --- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
> +++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
> @@ -212,13 +212,6 @@
> return(ret);
> }
>
> - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb,
> now)) {
> - krb5_dbe_free_contents(handle->context, &kdb);
> - if (mask & KADM5_POLICY)
> - (void) kadm5_free_policy_ent(handle->lhandle, &polent);
> - return(ret);
> - }
> -
> /* initialize the keys */
>
> if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
> >Audit-Trail:
> >Unformatted:

The current behavior of principal creation setting the "last_pwd_change" to "now" is in
accordance with the kadm5 API specification. If you want to require users with minimum
password lifetimes to immediately change their password after creation, consider setting the
"REQUIRES_PWCHANGE" flag at principal creation time by supplying the "+needchange"
option to kadmin addprinc.

If you believe that this technique needs to be publicized further, please file a separate
documentation bug.