On Пят, 19 сне 2025, Sumit Bose via FreeIPA-users wrote:
Am Thu, Dec 18, 2025 at 05:31:12PM +0100 schrieb Frank Bergmann via
FreeIPA-users:
On Thu, Dec 18, 2025 at 04:58:00PM +0100, Sumit Bose via FreeIPA-users wrote:
> > Which C/C++ API/Lib can be used to handle an expired password?
> > (e.g. providing old and new password and submit them to get a
> > non-expired account)
>
> Hi,
>
> it is PAM as well, see man pam_chauthtok for details.
Hmmm... correct me if I'm wrong, but IMHO I need a valid TGT for it.
Hi,
with PAM the configured PAM modules, e.g. SSSD, should take care of
this. To change a password via Kerberos a TGT is not needed but a
dedicated 'kadmin/changepw' ticket is sufficient. Typically you can
request this ticket even if your Kerberos password is expired.
That's for password-based operations. I think we currently have a bit of
an issue for OTP case when the password grace period set to 0.
See some details on https://pagure.io/freeipa/issue/9905.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
