oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: Do not apply new service key delay to clients

Browse Source 
The new [hdb] new_service_key_delay parameter should not apply to
principal entries when used as clients.  Otherwise new passwords would
not take effect immediately, and that would be very confusing.
This commit is contained in:
Nicolas Williams
2020-09-09 21:48:29 -05:00
parent 18459de867
commit ff13573ce5
6 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/hdb/common.c
View File

@@ -1161,10 +1161,11 @@ fix_keys(krb5_context context,
size_t i;
/*
* If we want a specific kvno, or if we're not decrypting the keys, or if
* there's no new-key delay, then we're out.
* If we want a specific kvno, or if the caller doesn't want new keys
* delayed, or if there's no new-key delay configured, or we're not
* fetching for use as a service principal, then we're out.
*/
if (!(flags & HDB_F_DECRYPT) || kvno || h->entry.flags.virtual ||
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual ||
h->entry.flags.virtual_keys || db->new_service_key_delay <= 0)
return 0;