Sanity check: MAX_PW_HIST
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue May 5 23:33:32 EDT 2009
Our kadmind's svr_policy.c contains:
#define MAX_PW_HISTORY 10
and two instances of:
if (entry->pw_history_num < MIN_PW_HISTORY ||
entry->pw_history_num > MAX_PW_HISTORY)
return KADM5_BAD_HISTORY;
There's no other use of this constant. The actual key history is
stored in a circular buffer of dynamic size; we're not taking
advantage of the maximum to allocate a fixed-sized array or anything.
The constant dates back to 1996 when we first merged in the OV kadmin
code; it didn't seem to have any particular reason to exist back then
either. I think it would be a long shot to find the code's authors
from 13+ years ago and ask why they put that limit there, so before we
get rid of the arbitrary limit, I'll just ask here: does anyone know
of a reason why it should exist?
(For a little more background: this constant limits the maximum value
of the password history size you can set in a policy, which in turn
determines how far back kadmind will check to see if you're reusing an
old password.)
More information about the krbdev
mailing list