[1173] in Kerberos-V5-bugs
krb5b4pl3: kdc/kdc_util.c: client with expired key should be able to get PWCHANGE ticket
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Mar 14 14:55:43 1995
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Date: Tue, 14 Mar 1995 14:58:47 -0500
To: krb5-bugs@MIT.EDU
A client with an expired key should be able to get an initial ticket
for any password-changing service.
--- kdc/kdc_util.c 1995/03/09 15:18:26 1.1
+++ kdc/kdc_util.c 1995/03/14 19:56:10
@@ -738,8 +738,10 @@
return KRB_AP_ERR_BADADDR;
}
- /* The client's password must not be expired */
- if (client.pw_expiration && client.pw_expiration < kdc_time) {
+ /* The client's password must not be expired, unless the server is
+ a KRB5_KDC_PWCHANGE_SERVICE. */
+ if (client.pw_expiration && client.pw_expiration < kdc_time &&
+ !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
