[OpenAFS] Reset a principal's last cpw timestamp w/o resetting the password?
David Perel
davidp@oak.njit.edu
Thu, 15 Dec 2005 22:25:04 -0500 (EST)
Hello --
We are faced with the situation of now having to, for the first time,
enforce password expiration (number of days the password is valid since
the last password change - the "pwexpires" switch for kas) for some
12,000 AFS principals. We are presently using the Transarc kaserver
(Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT)
around 2007.
When using kas to set password expiration, the maximum value of pwexpires
is 254 (same for the OpenAFS kas). The password for most of the principals
here was last changed more than 254 days ago (the cell has been in existence
for about 12 years). This means that if password expiration were to be
set now, without the users first resetting their passwords, most users
would not be able to log in to their AFS account.
One way to deal with the situation would be to first have all the users
change their passwords over a few days period, soon after which the
password expiration would be enforced. However, we have little confidence
that a significant percentage of the users would comply, so we'd like
to avoid this procedure, if possible. We also want to avoid changing
users' passwords and trying to (securely) inform them of their
new password.
The question : Is there any way to manipulate the kaserver database,
kaserver.DB0, so that the "last cpw:" value can be reset to an arbitrary
timestamp for a principal? I would be very surprised if there were a
reliable way, and even more surprised if the resulting database was not in
some way problematical, but, who knows, maybe someone's done this already,
or anyway, tried.
Thanks for any help on this.
David Perel
University Computing Systems
New Jersey Institute of Technology
davidp@oak.njit.edu