krb5 commit: Remove vestigial svr_principal.c code

Greg Hudson ghudson at mit.edu
Thu May 18 13:46:02 EDT 2017


https://github.com/krb5/krb5/commit/274f751937a7a713fffd61290c0ce15e890f4b50
commit 274f751937a7a713fffd61290c0ce15e890f4b50
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed May 17 15:21:34 2017 -0400

    Remove vestigial svr_principal.c code
    
    In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
    kadm5_setv4key_principal(), remove the disabled code to enforce
    pw_min_life (which is enforced in kadmind as noted in the comments),
    as well as the unnecessary last_pwd lookups beforehand.

 src/lib/kadm5/srv/svr_principal.c |   60 +-----------------------------------
 1 files changed, 2 insertions(+), 58 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 0d4f0a6..aa56256 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1326,7 +1326,7 @@ kadm5_chpass_principal_3(void *server_handle,
     kadm5_policy_ent_rec        pol;
     osa_princ_ent_rec           adb;
     krb5_db_entry               *kdb;
-    int                         ret, ret2, last_pwd, hist_added;
+    int                         ret, ret2, hist_added;
     krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     osa_pw_hist_ent             hist;
@@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle,
     if ((adb.aux_attributes & KADM5_POLICY)) {
         /* the policy was loaded before */
 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
-        if (ret)
-            goto done;
-
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c). A
-         * local caller implicitly has all authorization bits.
-         */
-        if ((now - last_pwd) < pol.pw_min_life &&
-            !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         ret = check_pw_reuse(handle->context, hist_keyblocks,
                              kdb->n_key_data, kdb->key_data,
                              1, &hist);
@@ -1546,7 +1528,7 @@ kadm5_randkey_principal_3(void *server_handle,
     osa_princ_ent_rec           adb;
     krb5_timestamp              now;
     kadm5_policy_ent_rec        pol;
-    int                         ret, last_pwd, n_new_keys;
+    int                         ret, n_new_keys;
     krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     krb5_keyblock               *act_mkey;
@@ -1605,24 +1587,6 @@ kadm5_randkey_principal_3(void *server_handle,
             goto done;
     }
     if (have_pol) {
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
-        if (ret)
-            goto done;
-
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c).  A
-         * local caller implicitly has all authorization bits.
-         */
-        if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         if (pol.pw_max_life)
             kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else
@@ -1691,9 +1655,6 @@ kadm5_setv4key_principal(void *server_handle,
     krb5_keysalt                keysalt;
     int                         i, kvno, ret;
     krb5_boolean                have_pol = FALSE;
-#if 0
-    int                         last_pwd;
-#endif
     kadm5_server_handle_t       handle = server_handle;
     krb5_key_data               tmp_key_data;
     krb5_keyblock               *act_mkey;
@@ -1756,23 +1717,6 @@ kadm5_setv4key_principal(void *server_handle,
             goto done;
     }
     if (have_pol) {
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c).  A
-         * local caller implicitly has all authorization bits.
-         */
-        if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                                  kdb, &last_pwd))
-            goto done;
-        if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         if (pol.pw_max_life)
             kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else


More information about the cvs-krb5 mailing list