[2720] in Kerberos-V5-bugs
krb5-admin/415: Don't update the last password change field for new users
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Apr 10 13:47:17 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, kenh@cmf.nrl.navy.mil
Date: Thu, 10 Apr 1997 13:42:53 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
>Number: 415
>Category: krb5-admin
>Synopsis: The current behavior of kadmind makes using minimum password lifetimes difficult
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 10 13:44:01 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Lab
>Release: 1.0
>Environment:
System: SunOS nexus 4.1.4 3 sun4m
Architecture: sun4
>Description:
The current way kadmind works makes it difficult to use minimum password
lifetimes.
When you create a user, the "last password change" field is updated so it
has the time the account was created. This is problematic if you set a
minimum password lifetime; if you want new users to change their passwords
right away, you have to wait until the minimum password lifetime has lapsed
until they can change their password, and that simply doesn't make sense.
>How-To-Repeat:
Create a user with a long minimum password lifetime, and tell them to change
their passwords right away.
>Fix:
This simple patch makes it so newly created accounts don't have a
password change time.
--- lib/kadm5/srv/svr_principal.c.orig Mon Nov 11 17:05:18 1996
+++ lib/kadm5/srv/svr_principal.c Thu Apr 10 13:30:02 1997
@@ -212,13 +212,6 @@
return(ret);
}
- if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) {
- krb5_dbe_free_contents(handle->context, &kdb);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
-
/* initialize the keys */
if (ret = krb5_dbe_cpw(handle->context, &master_encblock,
>Audit-Trail:
>Unformatted: