When new keys are added (typically via kadm5_setkey_principal_3),
truncate the key history to remove old keys, that is keys older than
the newest key which was in effect prior longer ago than the principal's
maximum ticket lifetime. This feature is controlled via the "[kadmin]"
section's "prune-key-history" boolean parameter, which defaults to false.
Currently this happens only when kadm5_setkey_principal_3()
is called directly on the server, the client API simulates
kadm5_setkey_principal_3() via a get, update, modify sequence that does
not prune the key history. The plan is to add a new kadm5 protocol RPC
and convert clients to call that instead.
In setkey_principal_3 seal keys after entry key update
Also, for now, don't check the return value of kadm5_log_modify() in
the new kadm5_s_setkey_principal_3(). This has to be addressed more
globally.
Censor stale keys in kadm5_s_get_principal
We enable kadm5_chpass_principal_3() in the server side of the
library. The client kadm5 library calls will still return the
error KAMD5_KS_TUPLE_NO_SUPP.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
The code was generating a char ** of string representations of the
ks_tuple() array but it was not using it. We modify the code to:
1. extend the array returned by ks_tuple2str() to include
enough space for the trailing NULL and ensure that there
is a NULL at the end,
2. not free the array before exiting ks_tuple2str() as we
intend to use it in the caller,
3. re-organise the pointers in hdb_generate_key_set() to
make it more clear how we are to free things that have
been allocated.
4. free the char ** given us by ks_tuple2str() if it has
been allocated.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
Also: add support for ignoring null enctype / zero-length keys,
which *can* be found in MIT DB entries created in pre-historic
times.
Also: make the mitdb HDB backend more elegant (e.g., use the ASN.1
compiler's generated sequence/array utility functions.
Also: add a utility function needed for kadm5 kvno change
improvements and make kadmin's mod --kvno work correctly and
naturally.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
clause and freeing key_set. Found by IBM checker.
Make sure ret == 0 after of parse error, we catch the "no entries
parsed" case later.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16929 ec53bebd-3082-4978-b11e-865c3cabbd6b
Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb backend
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14297 ec53bebd-3082-4978-b11e-865c3cabbd6b
