[krbdev.mit.edu #7432] krb5-1.10.3: Updating krbtgt with kvno 0
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Oct 25 19:34:53 EDT 2012
krb5_dbe_def_search_enctype does not currently treat kvno 0 the same way
as kvno -1. kvno -1 means "ignore the kvno", while kvno 0 means "search
only in the highest kvno". (Confusingly, if you pass kvno, stype, and
ktype all as -1, the code optimizes by setting kvno to 0 in order to look
only at entries of highest kvno, without a comment explaining what it's
doing.)
It may be that we don't need both modes of operation. Offhand, I can't
imagine a situation where you want to search for a particular enctype
and/or salt type across all key versions. But we'd need to analyze all
of the call sites to make sure of that.
More information about the krb5-bugs
mailing list