|
 |
3eb3db |
From 591964cbcec69e2539a1657f8872b55ed782d844 Mon Sep 17 00:00:00 2001
|
|
|
3eb3db |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
3eb3db |
Date: Wed, 17 May 2017 15:21:34 -0400
|
|
|
3eb3db |
Subject: [PATCH] Remove vestigial svr_principal.c code
|
|
|
3eb3db |
|
|
|
3eb3db |
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
|
|
|
3eb3db |
kadm5_setv4key_principal(), remove the disabled code to enforce
|
|
|
3eb3db |
pw_min_life (which is enforced in kadmind as noted in the comments),
|
|
|
3eb3db |
as well as the unnecessary last_pwd lookups beforehand.
|
|
|
3eb3db |
|
|
|
3eb3db |
(cherry picked from commit 274f751937a7a713fffd61290c0ce15e890f4b50)
|
|
|
3eb3db |
---
|
|
|
3eb3db |
src/lib/kadm5/srv/svr_principal.c | 60 ++-----------------------------
|
|
|
3eb3db |
1 file changed, 2 insertions(+), 58 deletions(-)
|
|
|
3eb3db |
|
|
|
3eb3db |
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
|
|
3eb3db |
index 73733d371..a44d53f03 100644
|
|
|
3eb3db |
--- a/src/lib/kadm5/srv/svr_principal.c
|
|
|
3eb3db |
+++ b/src/lib/kadm5/srv/svr_principal.c
|
|
|
3eb3db |
@@ -1333,7 +1333,7 @@ kadm5_chpass_principal_3(void *server_handle,
|
|
|
3eb3db |
kadm5_policy_ent_rec pol;
|
|
|
3eb3db |
osa_princ_ent_rec adb;
|
|
|
3eb3db |
krb5_db_entry *kdb;
|
|
|
3eb3db |
- int ret, ret2, last_pwd, hist_added;
|
|
|
3eb3db |
+ int ret, ret2, hist_added;
|
|
|
3eb3db |
krb5_boolean have_pol = FALSE;
|
|
|
3eb3db |
kadm5_server_handle_t handle = server_handle;
|
|
|
3eb3db |
osa_pw_hist_ent hist;
|
|
|
3eb3db |
@@ -1406,24 +1406,6 @@ kadm5_chpass_principal_3(void *server_handle,
|
|
|
3eb3db |
if ((adb.aux_attributes & KADM5_POLICY)) {
|
|
|
3eb3db |
/* the policy was loaded before */
|
|
|
3eb3db |
|
|
|
3eb3db |
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
|
|
|
3eb3db |
- if (ret)
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
-
|
|
|
3eb3db |
-#if 0
|
|
|
3eb3db |
- /*
|
|
|
3eb3db |
- * The spec says this check is overridden if the caller has
|
|
|
3eb3db |
- * modify privilege. The admin server therefore makes this
|
|
|
3eb3db |
- * check itself (in chpass_principal_wrapper, misc.c). A
|
|
|
3eb3db |
- * local caller implicitly has all authorization bits.
|
|
|
3eb3db |
- */
|
|
|
3eb3db |
- if ((now - last_pwd) < pol.pw_min_life &&
|
|
|
3eb3db |
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
|
|
|
3eb3db |
- ret = KADM5_PASS_TOOSOON;
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
- }
|
|
|
3eb3db |
-#endif
|
|
|
3eb3db |
-
|
|
|
3eb3db |
ret = check_pw_reuse(handle->context, hist_keyblocks,
|
|
|
3eb3db |
kdb->n_key_data, kdb->key_data,
|
|
|
3eb3db |
1, &hist);
|
|
|
3eb3db |
@@ -1553,7 +1535,7 @@ kadm5_randkey_principal_3(void *server_handle,
|
|
|
3eb3db |
osa_princ_ent_rec adb;
|
|
|
3eb3db |
krb5_timestamp now;
|
|
|
3eb3db |
kadm5_policy_ent_rec pol;
|
|
|
3eb3db |
- int ret, last_pwd, n_new_keys;
|
|
|
3eb3db |
+ int ret, n_new_keys;
|
|
|
3eb3db |
krb5_boolean have_pol = FALSE;
|
|
|
3eb3db |
kadm5_server_handle_t handle = server_handle;
|
|
|
3eb3db |
krb5_keyblock *act_mkey;
|
|
|
3eb3db |
@@ -1612,24 +1594,6 @@ kadm5_randkey_principal_3(void *server_handle,
|
|
|
3eb3db |
goto done;
|
|
|
3eb3db |
}
|
|
|
3eb3db |
if (have_pol) {
|
|
|
3eb3db |
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
|
|
|
3eb3db |
- if (ret)
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
-
|
|
|
3eb3db |
-#if 0
|
|
|
3eb3db |
- /*
|
|
|
3eb3db |
- * The spec says this check is overridden if the caller has
|
|
|
3eb3db |
- * modify privilege. The admin server therefore makes this
|
|
|
3eb3db |
- * check itself (in chpass_principal_wrapper, misc.c). A
|
|
|
3eb3db |
- * local caller implicitly has all authorization bits.
|
|
|
3eb3db |
- */
|
|
|
3eb3db |
- if((now - last_pwd) < pol.pw_min_life &&
|
|
|
3eb3db |
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
|
|
|
3eb3db |
- ret = KADM5_PASS_TOOSOON;
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
- }
|
|
|
3eb3db |
-#endif
|
|
|
3eb3db |
-
|
|
|
3eb3db |
if (pol.pw_max_life)
|
|
|
3eb3db |
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
|
|
|
3eb3db |
else
|
|
|
3eb3db |
@@ -1698,9 +1662,6 @@ kadm5_setv4key_principal(void *server_handle,
|
|
|
3eb3db |
krb5_keysalt keysalt;
|
|
|
3eb3db |
int i, kvno, ret;
|
|
|
3eb3db |
krb5_boolean have_pol = FALSE;
|
|
|
3eb3db |
-#if 0
|
|
|
3eb3db |
- int last_pwd;
|
|
|
3eb3db |
-#endif
|
|
|
3eb3db |
kadm5_server_handle_t handle = server_handle;
|
|
|
3eb3db |
krb5_key_data tmp_key_data;
|
|
|
3eb3db |
krb5_keyblock *act_mkey;
|
|
|
3eb3db |
@@ -1763,23 +1724,6 @@ kadm5_setv4key_principal(void *server_handle,
|
|
|
3eb3db |
goto done;
|
|
|
3eb3db |
}
|
|
|
3eb3db |
if (have_pol) {
|
|
|
3eb3db |
-#if 0
|
|
|
3eb3db |
- /*
|
|
|
3eb3db |
- * The spec says this check is overridden if the caller has
|
|
|
3eb3db |
- * modify privilege. The admin server therefore makes this
|
|
|
3eb3db |
- * check itself (in chpass_principal_wrapper, misc.c). A
|
|
|
3eb3db |
- * local caller implicitly has all authorization bits.
|
|
|
3eb3db |
- */
|
|
|
3eb3db |
- if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
|
|
|
3eb3db |
- kdb, &last_pwd))
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
- if((now - last_pwd) < pol.pw_min_life &&
|
|
|
3eb3db |
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
|
|
|
3eb3db |
- ret = KADM5_PASS_TOOSOON;
|
|
|
3eb3db |
- goto done;
|
|
|
3eb3db |
- }
|
|
|
3eb3db |
-#endif
|
|
|
3eb3db |
-
|
|
|
3eb3db |
if (pol.pw_max_life)
|
|
|
3eb3db |
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
|
|
|
3eb3db |
else
|