Add require-pwchange flag to HDB and honour it if present in mit-db:.

2012-02-27 10:19:54 +00:00
parent 91f2de8d1a
commit 0da84c0c3a
5 changed files with 11 additions and 0 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1284,6 +1284,13 @@ kdc_check_flags(krb5_context context,
 	    return KRB5KDC_ERR_NAME_EXP;
 	}

+	if (client->flags.require_pwchange &&
+	    (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
+	    kdc_log(context, config, 0,
+		    "Client's key must be changed -- %s", client_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	if (client->pw_end && *client->pw_end < kdc_time
 	    && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
 	    char pwend_str[100];
--- a/lib/hdb/hdb-mitdb.c
+++ b/lib/hdb/hdb-mitdb.c
@@ -445,6 +445,7 @@ mdb_value2entry(krb5_context context, krb5_data *data, krb5_kvno target_kvno,
    entry->flags.invalid =	!!(u32 & KRB5_KDB_DISALLOW_ALL_TIX);
    entry->flags.require_preauth =!!(u32 & KRB5_KDB_REQUIRES_PRE_AUTH);
    entry->flags.require_hwauth =!!(u32 & KRB5_KDB_REQUIRES_HW_AUTH);
+    entry->flags.require_pwchange =!!(u32 & KRB5_KDB_REQUIRES_PWCHANGE);
    entry->flags.server =	 !(u32 & KRB5_KDB_DISALLOW_SVR);
    entry->flags.change_pw = 	!!(u32 & KRB5_KDB_PWCHANGE_SERVICE);
    entry->flags.client =	   1; /* XXX */
--- a/lib/hdb/hdb.asn1
+++ b/lib/hdb/hdb.asn1
@@ -48,6 +48,7 @@ HDBFlags ::= BIT STRING {
 	allow-digest(16),		-- Allow digest requests
 	locked-out(17),			-- Account is locked out,
 					-- authentication will be denied
+	require-pwchange(18),		-- require a passwd change
 	do-not-store(31)		-- Not to be modified and stored in HDB
 }

--- a/lib/kadm5/ent_setup.c
+++ b/lib/kadm5/ent_setup.c
@@ -51,6 +51,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
    /* DUP_SKEY */
    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    flags->require_pwchange =  !!(attr & KRB5_KDB_REQUIRES_PWCHANGE);
    /* HW_AUTH */
    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
--- a/lib/kadm5/get_s.c
+++ b/lib/kadm5/get_s.c
@@ -161,6 +161,7 @@ kadm5_s_get_principal(void *server_handle,
 	out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
 	out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
 	out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
+	out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
 	out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
 	out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
 	out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;