rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Remove-vestigial-svr_principal.c-code.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   Remove-vestigial-svr_principal.c-code.patch
Blob History Raw
e5e0f2 
From 591964cbcec69e2539a1657f8872b55ed782d844 Mon Sep 17 00:00:00 2001
e5e0f2 
From: Greg Hudson <ghudson@mit.edu>
e5e0f2 
Date: Wed, 17 May 2017 15:21:34 -0400
e5e0f2 
Subject: [PATCH] Remove vestigial svr_principal.c code
e5e0f2
e5e0f2 
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
e5e0f2 
kadm5_setv4key_principal(), remove the disabled code to enforce
e5e0f2 
pw_min_life (which is enforced in kadmind as noted in the comments),
e5e0f2 
as well as the unnecessary last_pwd lookups beforehand.
e5e0f2
e5e0f2 
(cherry picked from commit 274f751937a7a713fffd61290c0ce15e890f4b50)
e5e0f2 
---
e5e0f2 
 src/lib/kadm5/srv/svr_principal.c | 60 ++-----------------------------
e5e0f2 
 1 file changed, 2 insertions(+), 58 deletions(-)
e5e0f2
e5e0f2 
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
e5e0f2 
index 73733d371..a44d53f03 100644
e5e0f2 
--- a/src/lib/kadm5/srv/svr_principal.c
e5e0f2 
+++ b/src/lib/kadm5/srv/svr_principal.c
e5e0f2 
@@ -1333,7 +1333,7 @@ kadm5_chpass_principal_3(void *server_handle,
e5e0f2 
     kadm5_policy_ent_rec        pol;
e5e0f2 
     osa_princ_ent_rec           adb;
e5e0f2 
     krb5_db_entry               *kdb;
e5e0f2 
-    int                         ret, ret2, last_pwd, hist_added;
e5e0f2 
+    int                         ret, ret2, hist_added;
e5e0f2 
     krb5_boolean                have_pol = FALSE;
e5e0f2 
     kadm5_server_handle_t       handle = server_handle;
e5e0f2 
     osa_pw_hist_ent             hist;
e5e0f2 
@@ -1406,24 +1406,6 @@ kadm5_chpass_principal_3(void *server_handle,
e5e0f2 
     if ((adb.aux_attributes & KADM5_POLICY)) {
e5e0f2 
         /* the policy was loaded before */
e5e0f2
e5e0f2 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
e5e0f2 
-        if (ret)
e5e0f2 
-            goto done;
e5e0f2 
-
e5e0f2 
-#if 0
e5e0f2 
-        /*
e5e0f2 
-         * The spec says this check is overridden if the caller has
e5e0f2 
-         * modify privilege.  The admin server therefore makes this
e5e0f2 
-         * check itself (in chpass_principal_wrapper, misc.c). A
e5e0f2 
-         * local caller implicitly has all authorization bits.
e5e0f2 
-         */
e5e0f2 
-        if ((now - last_pwd) < pol.pw_min_life &&
e5e0f2 
-            !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
e5e0f2 
-            ret = KADM5_PASS_TOOSOON;
e5e0f2 
-            goto done;
e5e0f2 
-        }
e5e0f2 
-#endif
e5e0f2 
-
e5e0f2 
         ret = check_pw_reuse(handle->context, hist_keyblocks,
e5e0f2 
                              kdb->n_key_data, kdb->key_data,
e5e0f2 
                              1, &hist);
e5e0f2 
@@ -1553,7 +1535,7 @@ kadm5_randkey_principal_3(void *server_handle,
e5e0f2 
     osa_princ_ent_rec           adb;
e5e0f2 
     krb5_timestamp              now;
e5e0f2 
     kadm5_policy_ent_rec        pol;
e5e0f2 
-    int                         ret, last_pwd, n_new_keys;
e5e0f2 
+    int                         ret, n_new_keys;
e5e0f2 
     krb5_boolean                have_pol = FALSE;
e5e0f2 
     kadm5_server_handle_t       handle = server_handle;
e5e0f2 
     krb5_keyblock               *act_mkey;
e5e0f2 
@@ -1612,24 +1594,6 @@ kadm5_randkey_principal_3(void *server_handle,
e5e0f2 
             goto done;
e5e0f2 
     }
e5e0f2 
     if (have_pol) {
e5e0f2 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
e5e0f2 
-        if (ret)
e5e0f2 
-            goto done;
e5e0f2 
-
e5e0f2 
-#if 0
e5e0f2 
-        /*
e5e0f2 
-         * The spec says this check is overridden if the caller has
e5e0f2 
-         * modify privilege.  The admin server therefore makes this
e5e0f2 
-         * check itself (in chpass_principal_wrapper, misc.c).  A
e5e0f2 
-         * local caller implicitly has all authorization bits.
e5e0f2 
-         */
e5e0f2 
-        if((now - last_pwd) < pol.pw_min_life &&
e5e0f2 
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
e5e0f2 
-            ret = KADM5_PASS_TOOSOON;
e5e0f2 
-            goto done;
e5e0f2 
-        }
e5e0f2 
-#endif
e5e0f2 
-
e5e0f2 
         if (pol.pw_max_life)
e5e0f2 
             kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
e5e0f2 
         else
e5e0f2 
@@ -1698,9 +1662,6 @@ kadm5_setv4key_principal(void *server_handle,
e5e0f2 
     krb5_keysalt                keysalt;
e5e0f2 
     int                         i, kvno, ret;
e5e0f2 
     krb5_boolean                have_pol = FALSE;
e5e0f2 
-#if 0
e5e0f2 
-    int                         last_pwd;
e5e0f2 
-#endif
e5e0f2 
     kadm5_server_handle_t       handle = server_handle;
e5e0f2 
     krb5_key_data               tmp_key_data;
e5e0f2 
     krb5_keyblock               *act_mkey;
e5e0f2 
@@ -1763,23 +1724,6 @@ kadm5_setv4key_principal(void *server_handle,
e5e0f2 
             goto done;
e5e0f2 
     }
e5e0f2 
     if (have_pol) {
e5e0f2 
-#if 0
e5e0f2 
-        /*
e5e0f2 
-         * The spec says this check is overridden if the caller has
e5e0f2 
-         * modify privilege.  The admin server therefore makes this
e5e0f2 
-         * check itself (in chpass_principal_wrapper, misc.c).  A
e5e0f2 
-         * local caller implicitly has all authorization bits.
e5e0f2 
-         */
e5e0f2 
-        if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
e5e0f2 
-                                                  kdb, &last_pwd))
e5e0f2 
-            goto done;
e5e0f2 
-        if((now - last_pwd) < pol.pw_min_life &&
e5e0f2 
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
e5e0f2 
-            ret = KADM5_PASS_TOOSOON;
e5e0f2 
-            goto done;
e5e0f2 
-        }
e5e0f2 
-#endif
e5e0f2 
-
e5e0f2 
         if (pol.pw_max_life)
e5e0f2 
             kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
e5e0f2 
         else

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation