Sanity check: MAX_PW_HIST

ghudson@MIT.EDU ghudson at MIT.EDU
Tue May 5 23:33:32 EDT 2009

Our kadmind's svr_policy.c contains:

  #define MAX_PW_HISTORY 10

and two instances of:

  if (entry->pw_history_num < MIN_PW_HISTORY ||
      entry->pw_history_num > MAX_PW_HISTORY)
    return KADM5_BAD_HISTORY;

There's no other use of this constant.  The actual key history is
stored in a circular buffer of dynamic size; we're not taking
advantage of the maximum to allocate a fixed-sized array or anything.

The constant dates back to 1996 when we first merged in the OV kadmin
code; it didn't seem to have any particular reason to exist back then
either.  I think it would be a long shot to find the code's authors
from 13+ years ago and ask why they put that limit there, so before we
get rid of the arbitrary limit, I'll just ask here: does anyone know
of a reason why it should exist?

(For a little more background: this constant limits the maximum value
of the password history size you can set in a policy, which in turn
determines how far back kadmind will check to see if you're reusing an
old password.)

More information about the krbdev mailing list