Expiring password interrupt from Kerberos

Ian Bobbitt ibobbitt at globalnoc.iu.edu
Tue Oct 24 20:51:18 EDT 2017

I would like to use the Kerberos password expiration date to trigger the 
expiring password interrupt.

I can have the login add the ticket to the Subjects. I can see that 
subject from a ScribedAttribute (or would a SubjectDerivedAttribute be 
better?), but I can't figure out how to access the password expiration 
from there. If I decrypt the reply from the KDC I see the expiration 
date in the packet, so I know it's there if I can just find the right 
set of methods to call.

Has someone figured this out already and is willing and able to share 
their solution, or help point me in the right direction?

-- Ian

(Yes, I know regularly expiring passwords that aren't suspected to be 
compromised goes against current recommended practices. I can't change 
the policy.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4090 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20171024/7f9fd815/attachment.p7s>

More information about the users mailing list