From 0da84c0c3a91603eb83fa1edcc107defc53f80c2 Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <elric@imrryr.org>
Date: Mon, 27 Feb 2012 10:19:54 +0000
Subject: [PATCH] Add require-pwchange flag to HDB and honour it if present in
 mit-db:.

---
 kdc/kerberos5.c       | 7 +++++++
 lib/hdb/hdb-mitdb.c   | 1 +
 lib/hdb/hdb.asn1      | 1 +
 lib/kadm5/ent_setup.c | 1 +
 lib/kadm5/get_s.c     | 1 +
 5 files changed, 11 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index d688d847c..be900a25c 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1284,6 +1284,13 @@ kdc_check_flags(krb5_context context,
 	    return KRB5KDC_ERR_NAME_EXP;
 	}
 
+	if (client->flags.require_pwchange &&
+	    (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
+	    kdc_log(context, config, 0,
+		    "Client's key must be changed -- %s", client_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+
 	if (client->pw_end && *client->pw_end < kdc_time
 	    && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
 	    char pwend_str[100];
diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c
index 533add07a..78eed0c1c 100644
--- a/lib/hdb/hdb-mitdb.c
+++ b/lib/hdb/hdb-mitdb.c
@@ -445,6 +445,7 @@ mdb_value2entry(krb5_context context, krb5_data *data, krb5_kvno target_kvno,
     entry->flags.invalid =	!!(u32 & KRB5_KDB_DISALLOW_ALL_TIX);
     entry->flags.require_preauth =!!(u32 & KRB5_KDB_REQUIRES_PRE_AUTH);
     entry->flags.require_hwauth =!!(u32 & KRB5_KDB_REQUIRES_HW_AUTH);
+    entry->flags.require_pwchange =!!(u32 & KRB5_KDB_REQUIRES_PWCHANGE);
     entry->flags.server =	 !(u32 & KRB5_KDB_DISALLOW_SVR);
     entry->flags.change_pw = 	!!(u32 & KRB5_KDB_PWCHANGE_SERVICE);
     entry->flags.client =	   1; /* XXX */
diff --git a/lib/hdb/hdb.asn1 b/lib/hdb/hdb.asn1
index faa58a9ac..333ccb064 100644
--- a/lib/hdb/hdb.asn1
+++ b/lib/hdb/hdb.asn1
@@ -48,6 +48,7 @@ HDBFlags ::= BIT STRING {
 	allow-digest(16),		-- Allow digest requests
 	locked-out(17),			-- Account is locked out,
 					-- authentication will be denied
+	require-pwchange(18),		-- require a passwd change
 	do-not-store(31)		-- Not to be modified and stored in HDB
 }
 
diff --git a/lib/kadm5/ent_setup.c b/lib/kadm5/ent_setup.c
index deb6e64fd..1266f204b 100644
--- a/lib/kadm5/ent_setup.c
+++ b/lib/kadm5/ent_setup.c
@@ -51,6 +51,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
     /* DUP_SKEY */
     flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
     flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    flags->require_pwchange =  !!(attr & KRB5_KDB_REQUIRES_PWCHANGE);
     /* HW_AUTH */
     flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
     flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c
index b224d507b..a4e1d8259 100644
--- a/lib/kadm5/get_s.c
+++ b/lib/kadm5/get_s.c
@@ -161,6 +161,7 @@ kadm5_s_get_principal(void *server_handle,
 	out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
 	out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
 	out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
+	out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
 	out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
 	out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
 	out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;