[OpenAFS] Reset a principal's last cpw timestamp w/o resetting
the password?
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 16 Dec 2005 00:14:19 -0500
On Thursday, December 15, 2005 10:25:04 PM -0500 David Perel
<davidp@oak.njit.edu> wrote:
>
> Hello --
>
> We are faced with the situation of now having to, for the first time,
> enforce password expiration (number of days the password is valid since
> the last password change - the "pwexpires" switch for kas) for some
> 12,000 AFS principals. We are presently using the Transarc kaserver
> (Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT)
> around 2007.
>
> When using kas to set password expiration, the maximum value of
> pwexpires is 254 (same for the OpenAFS kas). The password for most of
> the principals here was last changed more than 254 days ago (the cell
> has been in existence for about 12 years). This means that if
> password expiration were to be set now, without the users first
> resetting their passwords, most users would not be able to log in to
> their AFS account.
This is not as big a problem as it seems. Correctly handling password
expiration requires authentication tools that understand it, and prompt
users with expired passwords to change them. So, a user with an expired
password is not prevented from logging in; he is simply forced to change
the password.
Of course, this means you need to make sure your clients can deal before
you even think of turning password expiration on. But once you do, you can
allow users' passwords to expire, and they'll simply be forced to change
them on the next login.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA