From 3c526b3fbf333943f337cc2e508eb76ee5436d8b Mon Sep 17 00:00:00 2001 From: Ken Hornstein Date: Wed, 23 Oct 2002 20:08:04 +0000 Subject: [PATCH] gic_pwd doesn't support password expiration notification via last_req hint In kerberos-clarifications, a new last-req type (6) has been specified that indicates when a principal's password will expire. This code implements support for this last-req type. Note that the intent is that the last-req type will only be included by the KDC when the time until password expiration reaches some threshold (e.g, one week), so this code will display the password expiration anytime the last-req type is included. ticket: 1065 ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14936 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/ChangeLog | 5 +++++ src/include/krb5.hin | 1 + src/lib/krb5/krb/ChangeLog | 6 ++++++ src/lib/krb5/krb/gic_pwd.c | 41 +++++++++++++++++++++++++++++++++++++- 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 77d721b51..6aeda6d41 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,8 @@ +2002-10-23 Ken Hornstein + + * krb5.hin: Add new LRQ type for password expiration + (from krb-clarifications) + 2002-10-07 Sam Hartman * Makefile.in : Add install-headers support diff --git a/src/include/krb5.hin b/src/include/krb5.hin index a8fa4766b..7ab1cde04 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -839,6 +839,7 @@ krb5_error_code krb5_decrypt_data #define KRB5_LRQ_ONE_LAST_RENEWAL (-4) #define KRB5_LRQ_ALL_LAST_REQ 5 #define KRB5_LRQ_ONE_LAST_REQ (-5) +#define KRB5_LRQ_PW_EXPTIME 6 /* PADATA types */ #define KRB5_PADATA_NONE 0 diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 14b02e6bb..a651f2497 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,9 @@ +2002-10-23 Ken Hornstein + + * gic_pwd.c (krb5_get_init_creds_password): Fix bug in previous + password expiration warning; also, check for password expiration + warnings via LRQ type from krb-clarifications. + 2002-09-11 Sam Hartman * fwd_tgt.c (krb5_fwd_tgt_creds): If our initial tickets don't diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index caa48c590..776669af4 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -287,6 +287,7 @@ cleanup: if (ret == 0) { krb5_timestamp now; + krb5_last_req_entry **last_req; int hours; /* XXX 7 days should be configurable. This is all pretty ad hoc, @@ -294,7 +295,7 @@ cleanup: with timezones, etc. */ if (prompter && - (in_tkt_service && + (!in_tkt_service || (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && ((ret = krb5_timeofday(context, &now)) == 0) && as_reply->enc_part2->key_exp && @@ -313,6 +314,44 @@ cleanup: /* ignore an error here */ /* PROMPTER_INVOCATION */ (*prompter)(context, data, 0, banner, 0, 0); + } else if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + as_reply->enc_part2 && as_reply->enc_part2->last_req) { + /* + * Check the last_req fields + */ + + for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) + if ((*last_req)->lr_type == KRB5_LRQ_PW_EXPTIME) { + krb5_deltat delta; + char ts[256]; + + if ((ret = krb5_timeofday(context, &now))) + break; + + if ((ret = krb5_timestamp_to_string((*last_req)->value, + ts, sizeof(ts)))) + break; + + delta = (*last_req)->value - now; + + if (delta < 3600) + sprintf(banner, + "Warning: Your password will expire in less than one " + "hour on %s", ts); + else if (delta < 86400*2) + sprintf(banner, + "Warning: Your password will expire in %d hour%s on %s", + delta / 3600, delta < 7200 ? "" : "s", ts); + else + sprintf(banner, + "Warning: Your password will expire in %d days on %s", + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } } } -- 2.26.2