[29951] in CVS-changelog-for-Kerberos-V5
krb5 commit: Remove vestigial svr_principal.c code
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 18 13:46:06 2017
Date: Thu, 18 May 2017 13:46:02 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201705181746.v4IHk2XL006766@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/274f751937a7a713fffd61290c0ce15e890f4b50
commit 274f751937a7a713fffd61290c0ce15e890f4b50
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed May 17 15:21:34 2017 -0400
Remove vestigial svr_principal.c code
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
kadm5_setv4key_principal(), remove the disabled code to enforce
pw_min_life (which is enforced in kadmind as noted in the comments),
as well as the unnecessary last_pwd lookups beforehand.
src/lib/kadm5/srv/svr_principal.c | 60 +-----------------------------------
1 files changed, 2 insertions(+), 58 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 0d4f0a6..aa56256 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1326,7 +1326,7 @@ kadm5_chpass_principal_3(void *server_handle,
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
krb5_db_entry *kdb;
- int ret, ret2, last_pwd, hist_added;
+ int ret, ret2, hist_added;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
osa_pw_hist_ent hist;
@@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle,
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
- if (ret)
- goto done;
-
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if ((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
ret = check_pw_reuse(handle->context, hist_keyblocks,
kdb->n_key_data, kdb->key_data,
1, &hist);
@@ -1546,7 +1528,7 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_timestamp now;
kadm5_policy_ent_rec pol;
- int ret, last_pwd, n_new_keys;
+ int ret, n_new_keys;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
@@ -1605,24 +1587,6 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
}
if (have_pol) {
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
- if (ret)
- goto done;
-
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
if (pol.pw_max_life)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
@@ -1691,9 +1655,6 @@ kadm5_setv4key_principal(void *server_handle,
krb5_keysalt keysalt;
int i, kvno, ret;
krb5_boolean have_pol = FALSE;
-#if 0
- int last_pwd;
-#endif
kadm5_server_handle_t handle = server_handle;
krb5_key_data tmp_key_data;
krb5_keyblock *act_mkey;
@@ -1756,23 +1717,6 @@ kadm5_setv4key_principal(void *server_handle,
goto done;
}
if (have_pol) {
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- kdb, &last_pwd))
- goto done;
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
if (pol.pw_max_life)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
