kadmind: password history interaction with keepold

[Greg Hudson]

On 07/23/2014 08:37 AM, Tomas Kuthan wrote:
> I have ran into a corner case and I am not really sure if the behavior 
> in the back-end agnostic code is correct with respect to use of -keepold 
> option with principals with password history.
> In my opinion, with -keepold, old keys are retained in password history 
> for too long.

Sorry, I missed this message somehow.  I agree completely; only the most
recent kvno should be stored in the history record.