[OpenAFS] Reset a principal's last cpw timestamp w/o resetting the password?

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 16 Dec 2005 00:14:19 -0500

On Thursday, December 15, 2005 10:25:04 PM -0500 David Perel 
<davidp@oak.njit.edu> wrote:

>   Hello --
>   We are faced with the situation of now having to, for the first time,
>   enforce password expiration (number of days the password is valid since
>   the last password change - the "pwexpires" switch for kas) for some
>   12,000 AFS principals. We are presently using the Transarc kaserver
>   (Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT)
>   around 2007.
>   When using kas to set password expiration, the maximum value of
> pwexpires   is 254 (same for the OpenAFS kas). The password for most of
> the principals    here was last changed more than 254 days ago (the cell
> has been in existence    for about 12 years).  This means that if
> password expiration were to be    set now, without the users first
> resetting their passwords, most users    would not be able to log in to
> their AFS account.

This is not as big a problem as it seems.  Correctly handling password 
expiration requires authentication tools that understand it, and prompt 
users with expired passwords to change them.  So, a user with an expired 
password is not prevented from logging in; he is simply forced to change 
the password.

Of course, this means you need to make sure your clients can deal before 
you even think of turning password expiration on.  But once you do, you can 
allow users' passwords to expire, and they'll simply be forced to change 
them on the next login.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA