oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kadmin: honour pw-expiration-time when adding principal (#360)

Browse Source 
Adding a principal with a random key or password did not respect non-default
password expiration times, because the act of setting the key or password would
clobber it with the default. As we update the principal anyway after setting
the keys, use this opportunity to restore the requested password expiration
time. (There are other ways to solve this, but this is the least intrusive.)
This commit is contained in:
Luke Howard
2018-12-23 16:43:03 +11:00
parent 2974a9841f
commit def6e4fc79
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
kadmin/ank.c
View File

@@ -80,6 +80,7 @@ add_one_principal (const char *name,
kadm5_principal_ent_rec princ, defrec;
kadm5_principal_ent_rec *default_ent = NULL;
krb5_principal princ_ent = NULL;
krb5_timestamp pw_expire;
int mask = 0;
int default_mask = 0;
char pwbuf[1024];
@@ -152,6 +153,8 @@ add_one_principal (const char *name,
krb5_warn(context, ret, "kadm5_create_principal");
goto out;
}
/* Save requested password expiry before it's clobbered */
pw_expire = princ.pw_expiration;
if(rand_key) {
krb5_keyblock *new_keys;
int n_keys, i;
@@ -170,6 +173,7 @@ add_one_principal (const char *name,
krb5_free_principal(context, princ_ent);
princ_ent = princ.principal;
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
princ.pw_expiration = pw_expire;
/*
* Updating kvno w/o key data and vice-versa gives _kadm5_setup_entry()
* and _kadm5_set_keys2() headaches. But we used to, so we handle
@@ -178,7 +182,7 @@ add_one_principal (const char *name,
*/
princ.kvno = 1;
kadm5_modify_principal(kadm_handle, &princ,
KADM5_ATTRIBUTES | KADM5_KVNO);
KADM5_PW_EXPIRATION | KADM5_ATTRIBUTES | KADM5_KVNO);
} else if (key_data) {
ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent,
3, key_data);
@@ -190,7 +194,9 @@ add_one_principal (const char *name,
krb5_free_principal(context, princ_ent);
princ_ent = princ.principal;
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES);
princ.pw_expiration = pw_expire;
kadm5_modify_principal(kadm_handle, &princ,
KADM5_PW_EXPIRATION | KADM5_ATTRIBUTES);
} else if (rand_password) {
char *princ_name;