confusion in ank.

Kevin Coffman kwc at citi.umich.edu
Mon Apr 23 13:03:59 EDT 2007 

On 4/23/07, Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> On Mon, Apr 23, 2007 at 11:27:22AM -0400, Kevin Coffman wrote:
> > I haven't looked at the code, but I think this is probably done on
> > purpose and is not a bug.  When you create a keytab, you create a new
> > random key for the account.  There is no password associated with that
> > key, and there is no longer a reason for a password expiration.
>
> Password quality policies certainly shouldn't apply to randomly-
> generated keys, but that does not mean that there cannot be a key
> expiration policy.

OK, I looked at the code.

If the principal has a policy, and the policy has a pw_max_life, the
password expiration is updated.  If the principal has no policy, then
the password expiration is reset.  So I'm assuming this principal is
not associated with a policy, or the policy doesn't have a
pw_max_life.

>From  src/lib/kadm5/srv/svr_principal.c: kadm5_randkey_principal_3():

    if ((adb.aux_attributes & KADM5_POLICY)) {
        if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
                                    &pol)) != KADM5_OK)
           goto done;
        have_pol = 1;

        ret = krb5_dbe_lookup_last_pwd_change(handle->context,
                                              &kdb, &last_pwd);
        if (ret)
             goto done;

#if 0
         /*
          * The spec says this check is overridden if the caller has
          * modify privilege.  The admin server therefore makes this
          * check itself (in chpass_principal_wrapper, misc.c).  A
          * local caller implicitly has all authorization bits.
          */
        if((now - last_pwd) < pol.pw_min_life &&
           !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             ret = KADM5_PASS_TOOSOON;
             goto done;
        }
#endif

        if(pol.pw_history_num > 1) {
            if(adb.admin_history_kvno != hist_kvno) {
                ret = KADM5_BAD_HIST_KEY;
                goto done;
            }

            ret = check_pw_reuse(handle->context, &hist_key,
                                 kdb.n_key_data, kdb.key_data,
                                 adb.old_key_len, adb.old_keys);
            if (ret)
                goto done;
        }
        if (pol.pw_max_life)
           kdb.pw_expiration = now + pol.pw_max_life;
        else
           kdb.pw_expiration = 0;
    } else {
        kdb.pw_expiration = 0;
    }

More information about the Kerberos mailing list