On Thursday, December 15, 2005 10:25:04 PM -0500 David Perel <[EMAIL PROTECTED]> wrote:
Hello -- We are faced with the situation of now having to, for the first time, enforce password expiration (number of days the password is valid since the last password change - the "pwexpires" switch for kas) for some 12,000 AFS principals. We are presently using the Transarc kaserver (Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT) around 2007. When using kas to set password expiration, the maximum value of pwexpires is 254 (same for the OpenAFS kas). The password for most of the principals here was last changed more than 254 days ago (the cell has been in existence for about 12 years). This means that if password expiration were to be set now, without the users first resetting their passwords, most users would not be able to log in to their AFS account.
This is not as big a problem as it seems. Correctly handling password expiration requires authentication tools that understand it, and prompt users with expired passwords to change them. So, a user with an expired password is not prevented from logging in; he is simply forced to change the password.
Of course, this means you need to make sure your clients can deal before you even think of turning password expiration on. But once you do, you can allow users' passwords to expire, and they'll simply be forced to change them on the next login.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
