confusion in ank.
Kevin Coffman
kwc at citi.umich.edu
Mon Apr 23 13:03:59 EDT 2007
On 4/23/07, Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> On Mon, Apr 23, 2007 at 11:27:22AM -0400, Kevin Coffman wrote:
> > I haven't looked at the code, but I think this is probably done on
> > purpose and is not a bug. When you create a keytab, you create a new
> > random key for the account. There is no password associated with that
> > key, and there is no longer a reason for a password expiration.
>
> Password quality policies certainly shouldn't apply to randomly-
> generated keys, but that does not mean that there cannot be a key
> expiration policy.
OK, I looked at the code.
If the principal has a policy, and the policy has a pw_max_life, the
password expiration is updated. If the principal has no policy, then
the password expiration is reset. So I'm assuming this principal is
not associated with a policy, or the policy doesn't have a
pw_max_life.
>From src/lib/kadm5/srv/svr_principal.c: kadm5_randkey_principal_3():
if ((adb.aux_attributes & KADM5_POLICY)) {
if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
&pol)) != KADM5_OK)
goto done;
have_pol = 1;
ret = krb5_dbe_lookup_last_pwd_change(handle->context,
&kdb, &last_pwd);
if (ret)
goto done;
#if 0
/*
* The spec says this check is overridden if the caller has
* modify privilege. The admin server therefore makes this
* check itself (in chpass_principal_wrapper, misc.c). A
* local caller implicitly has all authorization bits.
*/
if((now - last_pwd) < pol.pw_min_life &&
!(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
if(pol.pw_history_num > 1) {
if(adb.admin_history_kvno != hist_kvno) {
ret = KADM5_BAD_HIST_KEY;
goto done;
}
ret = check_pw_reuse(handle->context, &hist_key,
kdb.n_key_data, kdb.key_data,
adb.old_key_len, adb.old_keys);
if (ret)
goto done;
}
if (pol.pw_max_life)
kdb.pw_expiration = now + pol.pw_max_life;
else
kdb.pw_expiration = 0;
} else {
kdb.pw_expiration = 0;
}
More information about the Kerberos
mailing list