Request for comment: Supporting password expiration alert in JAAS
Weijun Wang
weijun.wang at oracle.com
Wed Oct 17 05:44:44 UTC 2012
Ping again.
On 08/17/2012 06:18 PM, Weijun Wang wrote:
> Hi All
>
> I am working with an OpenJDK contributor (Steve Beaty) recently on this
> feature.
>
> We often see messages like "Your password will expire in 5 days. Please
> update ASAP" when we login to a system, and we are seeing if we could
> also support this kind of alert in JAAS.
>
> We first starts with the Krb5LoginModule. In Kerberos, the KDC might
> send a LastReq field in response to a ticket request. Normally, the
> LastReq might contain:
>
> 1. The time the password will expire
> 2. The time the account will expire.
>
> (It might contain other things like the last request time from the same
> client, so the login module can show the user "Last login: Thu Aug 16
> 19:44:55 2012". That's also how the field is named).
>
> Out current idea is to create a new kind of Callback, say,
> PasswordExpirationCallback for a login module, if a password/account
> expiration message is found in the LastReq field received, some
> user-defined method can be called.
>
> However, we cannot decide on what argument we should provide to this
> method. Certainly, just passing the LastReq field is not very good,
> since it's keberos-specific. Passing only the password expiration time?
> I'm not sure if the information is too little.
>
> Are you familiar with all other styles of password expiration warnings?
> What kind of message is generalized enough and also contains enough info?
>
> Any suggestion welcomed.
>
> Thanks
> Max
More information about the security-dev
mailing list