[krbdev.mit.edu #8393] Password Expiration "Never" Inconsistently Applied

[Greg Hudson via RT]

The major problem here has to do with how kadmin reads time intervals: 
it parses the string as an absolute time using getdate.y and subtracts 
the current time.  getdate.y supports several date forms relative to 
the current time, like "3 days" and you get a natural result if you 
input one of these forms.  But if you enter a form which is not 
relative to the current time, you get nonsensical results:

    kadmin.local:  addpol -maxlife never testpol2
    kadmin.local:  getpol testpol
    [...]
    Maximum password life: 2833951712

    kadmin.local:  modprinc -maxlife never user
    Principal "user at KRBTEST.COM" modified.
    kadmin.local:  getprinc user
    [...]
    Maximum ticket life: -16909 days 21:52:08

Given a time machine, we would perhaps make kadmin use libkrb5 str_conv 
routines instead of getdate.y, as those functions correctly distinguish 
between intervals and absolute times.  But that could break many 
scripts.

Since we don't have a time machine, we should probably apply some 
sanity checks to the get_date() result when reading intervals in 
kadmin.  If we read an absolute time of 0, we should probably interpret 
that as a duration of 0, not 2^32 minus the current Unix time.  If we 
read a non-zero absolute time which is less than the current time, we 
should perhaps yield an error.