Skip to content

Commit

Permalink
Remove vestigial svr_principal.c code
Browse files Browse the repository at this point in the history 
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
kadm5_setv4key_principal(), remove the disabled code to enforce
pw_min_life (which is enforced in kadmind as noted in the comments),
as well as the unnecessary last_pwd lookups beforehand.
  • Loading branch information
@greghudson
greghudson committed May 18, 2017
1 parent ae25f6e commit 274f751
Showing 1 changed file with 2 additions and 58 deletions.
60 changes: 2 additions & 58 deletions src/lib/kadm5/srv/svr_principal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1326,7 +1326,7 @@ kadm5_chpass_principal_3(void *server_handle,
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
krb5_db_entry *kdb;
int ret, ret2, last_pwd, hist_added;
int ret, ret2, hist_added;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
osa_pw_hist_ent hist;
Expand Down Expand Up @@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle,
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */

ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;

#if 0
/*
* The spec says this check is overridden if the caller has
* modify privilege. The admin server therefore makes this
* check itself (in chpass_principal_wrapper, misc.c). A
* local caller implicitly has all authorization bits.
*/
if ((now - last_pwd) < pol.pw_min_life &&
!(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif

ret = check_pw_reuse(handle->context, hist_keyblocks,
kdb->n_key_data, kdb->key_data,
1, &hist);
Expand Down Expand Up @@ -1546,7 +1528,7 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_timestamp now;
kadm5_policy_ent_rec pol;
int ret, last_pwd, n_new_keys;
int ret, n_new_keys;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
Expand Down Expand Up @@ -1605,24 +1587,6 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
}
if (have_pol) {
ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;

#if 0
/*
* The spec says this check is overridden if the caller has
* modify privilege. The admin server therefore makes this
* check itself (in chpass_principal_wrapper, misc.c). A
* local caller implicitly has all authorization bits.
*/
if((now - last_pwd) < pol.pw_min_life &&
!(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif

if (pol.pw_max_life)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
Expand Down Expand Up @@ -1691,9 +1655,6 @@ kadm5_setv4key_principal(void *server_handle,
krb5_keysalt keysalt;
int i, kvno, ret;
krb5_boolean have_pol = FALSE;
#if 0
int last_pwd;
#endif
kadm5_server_handle_t handle = server_handle;
krb5_key_data tmp_key_data;
krb5_keyblock *act_mkey;
Expand Down Expand Up @@ -1756,23 +1717,6 @@ kadm5_setv4key_principal(void *server_handle,
goto done;
}
if (have_pol) {
#if 0
/*
* The spec says this check is overridden if the caller has
* modify privilege. The admin server therefore makes this
* check itself (in chpass_principal_wrapper, misc.c). A
* local caller implicitly has all authorization bits.
*/
if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
kdb, &last_pwd))
goto done;
if((now - last_pwd) < pol.pw_min_life &&
!(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif

if (pol.pw_max_life)
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
Expand Down

0 comments on commit 274f751

Please sign in to comment.