svn rev #25801: trunk/src/lib/kadm5/srv/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Apr 4 17:38:58 EDT 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25801
Commit By: ghudson
Log Message:
ticket: 7110
subject: Fix password reuse check with cpw -keepold
When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.
Changed Files:
U trunk/src/lib/kadm5/srv/svr_principal.c
Modified: trunk/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- trunk/src/lib/kadm5/srv/svr_principal.c 2012-04-02 18:38:45 UTC (rev 25800)
+++ trunk/src/lib/kadm5/srv/svr_principal.c 2012-04-04 21:38:57 UTC (rev 25801)
@@ -972,6 +972,9 @@
assert (n_new_key_data >= 0);
for (x = 0; x < (unsigned) n_new_key_data; x++) {
+ /* Check only entries with the most recent kvno. */
+ if (new_key_data[x].key_data_kvno != new_key_data[0].key_data_kvno)
+ break;
ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]),
&newkey, NULL);
if (ret)
More information about the cvs-krb5
mailing list