diff options
| author | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2002-10-23 20:08:04 +0000 |
|---|---|---|
| committer | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2002-10-23 20:08:04 +0000 |
| commit | 3c526b3fbf333943f337cc2e508eb76ee5436d8b (patch) | |
| tree | fcddd51275804271279d82d34b8b66dbfec7d1b6 /src/lib/krb5/krb/gic_pwd.c | |
| parent | 85d8c3f5fba56e462ed35af39b89b1b2b0b6855c (diff) | |
| download | krb5-3c526b3fbf333943f337cc2e508eb76ee5436d8b.zip krb5-3c526b3fbf333943f337cc2e508eb76ee5436d8b.tar.gz krb5-3c526b3fbf333943f337cc2e508eb76ee5436d8b.tar.bz2 | |
gic_pwd doesn't support password expiration notification via last_req hint
In kerberos-clarifications, a new last-req type (6) has been specified
that indicates when a principal's password will expire. This code implements
support for this last-req type. Note that the intent is that the last-req
type will only be included by the KDC when the time until password expiration
reaches some threshold (e.g, one week), so this code will display the
password expiration anytime the last-req type is included.
ticket: 1065
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14936 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/gic_pwd.c')
| -rw-r--r-- | src/lib/krb5/krb/gic_pwd.c | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index caa48c5..776669a 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -287,6 +287,7 @@ cleanup: if (ret == 0) { krb5_timestamp now; + krb5_last_req_entry **last_req; int hours; /* XXX 7 days should be configurable. This is all pretty ad hoc, @@ -294,7 +295,7 @@ cleanup: with timezones, etc. */ if (prompter && - (in_tkt_service && + (!in_tkt_service || (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && ((ret = krb5_timeofday(context, &now)) == 0) && as_reply->enc_part2->key_exp && @@ -313,6 +314,44 @@ cleanup: /* ignore an error here */ /* PROMPTER_INVOCATION */ (*prompter)(context, data, 0, banner, 0, 0); + } else if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + as_reply->enc_part2 && as_reply->enc_part2->last_req) { + /* + * Check the last_req fields + */ + + for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) + if ((*last_req)->lr_type == KRB5_LRQ_PW_EXPTIME) { + krb5_deltat delta; + char ts[256]; + + if ((ret = krb5_timeofday(context, &now))) + break; + + if ((ret = krb5_timestamp_to_string((*last_req)->value, + ts, sizeof(ts)))) + break; + + delta = (*last_req)->value - now; + + if (delta < 3600) + sprintf(banner, + "Warning: Your password will expire in less than one " + "hour on %s", ts); + else if (delta < 86400*2) + sprintf(banner, + "Warning: Your password will expire in %d hour%s on %s", + delta / 3600, delta < 7200 ? "" : "s", ts); + else + sprintf(banner, + "Warning: Your password will expire in %d days on %s", + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } } } |