[krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
pgp@psu.edu via RT
rt-comment at krbdev.mit.edu
Tue Jun 9 14:23:20 EDT 2009
Not a diff, but here are the two locations in 1.7 where the two |if|
statements need switched around:
Location 1:
941 /* The client's password must not be expired, unless the server is
942 a KRB5_KDC_PWCHANGE_SERVICE. */
943 if (client.pw_expiration && client.pw_expiration < kdc_time &&
944 !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
945 *status = "CLIENT KEY EXPIRED";
946 #ifdef KRBCONF_VAGUE_ERRORS
947 return(KRB_ERR_GENERIC);
948 #else
949 return(KDC_ERR_KEY_EXP);
950 #endif
951 }
952
953 /* The client must not be expired */
954 if (client.expiration && client.expiration < kdc_time) {
955 *status = "CLIENT EXPIRED";
956 #ifdef KRBCONF_VAGUE_ERRORS
957 return(KRB_ERR_GENERIC);
958 #else
959 return(KDC_ERR_NAME_EXP);
960 #endif
961 }
Location 2:
1873 /* The client's password must not be expired, unless the server is
1874 a KRB5_KDC_PWCHANGE_SERVICE. */
1875 if (client->pw_expiration && client->pw_expiration < kdc_time) {
1876 *status = "CLIENT KEY EXPIRED";
1877 return KDC_ERR_KEY_EXP;
1878 }
1879
1880 /* The client must not be expired */
1881 if (client->expiration && client->expiration < kdc_time) {
1882 *status = "CLIENT EXPIRED";
1883 return KDC_ERR_NAME_EXP;
1884 }
-Phil
More information about the krb5-bugs
mailing list