Request for comment: Supporting password expiration alert in JAAS (original) (raw)

Weijun Wang weijun.wang at oracle.com
Fri Aug 17 10🔞05 UTC 2012

Hi All

I am working with an OpenJDK contributor (Steve Beaty) recently on this feature.

We often see messages like "Your password will expire in 5 days. Please update ASAP" when we login to a system, and we are seeing if we could also support this kind of alert in JAAS.

We first starts with the Krb5LoginModule. In Kerberos, the KDC might send a LastReq field in response to a ticket request. Normally, the LastReq might contain:

  1. The time the password will expire
  2. The time the account will expire.

(It might contain other things like the last request time from the same client, so the login module can show the user "Last login: Thu Aug 16 19:44:55 2012". That's also how the field is named).

Out current idea is to create a new kind of Callback, say, PasswordExpirationCallback for a login module, if a password/account expiration message is found in the LastReq field received, some user-defined method can be called.

However, we cannot decide on what argument we should provide to this method. Certainly, just passing the LastReq field is not very good, since it's keberos-specific. Passing only the password expiration time? I'm not sure if the information is too little.

Are you familiar with all other styles of password expiration warnings? What kind of message is generalized enough and also contains enough info?

Any suggestion welcomed.

Thanks Max

More information about the security-dev mailing list