[2751] in Kerberos-V5-bugs
krb5-admin/441: It is impossible to change the last pwd change date
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Jun 26 20:40:40 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, kenh@cmf.nrl.navy.mil
Date: Thu, 26 Jun 1997 19:30:52 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
>Number: 441
>Category: krb5-admin
>Synopsis: You can't change the last pwd change date
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu Jun 26 19:43:03 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Lint Research Laboratory
>Release: 1.0pl1
>Environment:
System: SunOS nexus 4.1.4 3 sun4m
Architecture: sun4
>Description:
After having used minimum password lifetimes, one quickly discovers that
there needs to be a way to override them occasionally.
One common thing that happens is that an admin will reset a user's password,
but the user won't be able to change their password until the minimum
password lifetime has elapsed. This makes them cumbersome to use, and
encourages sites not to use this feature.
>How-To-Repeat:
Enable minumum password lifetimes for a while with a large user population.
>Fix:
These patches provide the ability to change the "last password change"
time from the admin front-end. This allows an administrator to override
the minimum password lifetime if necessary.
Index: krb5/kadmin/cli/kadmin.c
diff -c krb5/kadmin/cli/kadmin.c:1.1.1.1 krb5/kadmin/cli/kadmin.c:1.2
*** krb5/kadmin/cli/kadmin.c:1.1.1.1 Mon Jun 2 17:55:06 1997
--- krb5/kadmin/cli/kadmin.c Thu Jun 26 19:19:11 1997
***************
*** 709,714 ****
--- 709,730 ----
++*randkey;
continue;
}
+ if (strlen(argv[i]) == 13 &&
+ !strcmp("-lastpwchange", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i], NULL);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->last_pwd_change = date;
+ *mask |= KADM5_LAST_PWD_CHANGE;
+ continue;
+ }
+ }
for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) {
if (strlen(argv[i]) == flags[j].flaglen + 1 &&
!strcmp(flags[j].flagname,
***************
*** 762,768 ****
{
fprintf(stderr, "usage: %s [options] principal\n", func);
fprintf(stderr, "\toptions are:\n");
! fprintf(stderr, "\t\t[-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n");
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
--- 778,784 ----
{
fprintf(stderr, "usage: %s [options] principal\n", func);
fprintf(stderr, "\toptions are:\n");
! fprintf(stderr, "\t\t[-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [-lastpwchange pwchangedate]\n\t\t[{+|-}attribute]\n");
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
Index: krb5/lib/kadm5/srv/svr_principal.c
diff -c krb5/lib/kadm5/srv/svr_principal.c:1.3 krb5/lib/kadm5/srv/svr_principal.c:1.4
*** krb5/lib/kadm5/srv/svr_principal.c:1.3 Tue Jun 3 00:07:00 1997
--- krb5/lib/kadm5/srv/svr_principal.c Thu Jun 26 19:19:38 1997
***************
*** 1,11 ****
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
! * $Header: /afs/cmf.nrl.navy.mil/project/cvsroot/krb5/lib/kadm5/srv/svr_principal.c,v 1.3 1997/06/03 04:07:00 kenh Exp $
*/
#if !defined(lint) && !defined(__CODECENTER__)
! static char *rcsid = "$Header: /afs/cmf.nrl.navy.mil/project/cvsroot/krb5/lib/kadm5/srv/svr_principal.c,v 1.3 1997/06/03 04:07:00 kenh Exp $";
#endif
#include <sys/types.h>
--- 1,11 ----
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
! * $Header: /afs/cmf.nrl.navy.mil/project/cvsroot/krb5/lib/kadm5/srv/svr_principal.c,v 1.4 1997/06/26 23:19:38 kenh Exp $
*/
#if !defined(lint) && !defined(__CODECENTER__)
! static char *rcsid = "$Header: /afs/cmf.nrl.navy.mil/project/cvsroot/krb5/lib/kadm5/srv/svr_principal.c,v 1.4 1997/06/26 23:19:38 kenh Exp $";
#endif
#include <sys/types.h>
***************
*** 358,364 ****
CHECK_HANDLE(server_handle);
! if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
(mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
--- 358,364 ----
CHECK_HANDLE(server_handle);
! if((mask & KADM5_PRINCIPAL) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
(mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
***************
*** 527,532 ****
--- 527,545 ----
kdb.tl_data = tl;
tl2 = tl2->tl_data_next;
}
+ }
+
+ /*
+ * I'm not sure if client programs should be forced to modify the
+ * TL_DATA directly, or use the obvious mechanism of modifying
+ * KADM5_LAST_PW_CHANGE. To me, the latter seems to make more
+ * sense.
+ */
+
+ if (mask & KADM5_LAST_PWD_CHANGE) {
+ if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb,
+ entry->last_pwd_change)))
+ goto done;
}
ret = kdb_put_entry(handle, &kdb, &adb);
>Audit-Trail:
>Unformatted:
