Red Hat Bugzilla – Bug 556495
Configure/disable "Warning: Your password will expire in XX days"
Last modified: 2010-04-08 15:14:53 EDT
Description of problem:
Any time a user enters their password via pam they are informed the password will expire in XX days. This could be 1 day or 365 days.
Can this be configurable to a sensible number like 7 days?
Version-Release number of selected component (if applicable):
Every time the password is entered.
Steps to Reproduce:
1. Have a user with a password expiry date set
2. Get that user to login
"Warning: Your password will expire in XX days"
Blessed silence (until a sensible period for giving the warning)
The KDC is running Heimdal 1.2 (from Debian Lenny)
It's not something pam_krb5 has direct control over, as the message is passed to it by the Kerberos libraries, which hard-code the message. There are two ways the KDC can report expiration in the protocol, but the client code doesn't behave quite the same for both cases. Moving this to the krb5 component.
I had a look through the options on the Heimdal KDC and found the setting there.
Please feel free to NOTABUG
Should it be of interest to anyone else: I set kdc_warn_pwexpire=7d in /etc/heimdal/kdc.conf
Okay, dropping the patch we were using from Raw Hide and subsequent updates.