diff options
| author | Greg Hudson <ghudson@mit.edu> | 2017-05-17 15:21:34 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2017-05-18 12:04:00 -0400 |
| commit | 274f751937a7a713fffd61290c0ce15e890f4b50 (patch) | |
| tree | da6e51cff0e950342d4a2dd7130932899e702e73 /src | |
| parent | ae25f6ec5558140a546db34fea389412d81c0631 (diff) | |
| download | krb5-274f751937a7a713fffd61290c0ce15e890f4b50.zip krb5-274f751937a7a713fffd61290c0ce15e890f4b50.tar.gz krb5-274f751937a7a713fffd61290c0ce15e890f4b50.tar.bz2 | |
Remove vestigial svr_principal.c code
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
kadm5_setv4key_principal(), remove the disabled code to enforce
pw_min_life (which is enforced in kadmind as noted in the comments),
as well as the unnecessary last_pwd lookups beforehand.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 60 |
1 files changed, 2 insertions, 58 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 0d4f0a6..aa56256 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -1326,7 +1326,7 @@ kadm5_chpass_principal_3(void *server_handle, kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; krb5_db_entry *kdb; - int ret, ret2, last_pwd, hist_added; + int ret, ret2, hist_added; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; @@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle, if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if ((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - ret = check_pw_reuse(handle->context, hist_keyblocks, kdb->n_key_data, kdb->key_data, 1, &hist); @@ -1546,7 +1528,7 @@ kadm5_randkey_principal_3(void *server_handle, osa_princ_ent_rec adb; krb5_timestamp now; kadm5_policy_ent_rec pol; - int ret, last_pwd, n_new_keys; + int ret, n_new_keys; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; @@ -1605,24 +1587,6 @@ kadm5_randkey_principal_3(void *server_handle, goto done; } if (have_pol) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else @@ -1691,9 +1655,6 @@ kadm5_setv4key_principal(void *server_handle, krb5_keysalt keysalt; int i, kvno, ret; krb5_boolean have_pol = FALSE; -#if 0 - int last_pwd; -#endif kadm5_server_handle_t handle = server_handle; krb5_key_data tmp_key_data; krb5_keyblock *act_mkey; @@ -1756,23 +1717,6 @@ kadm5_setv4key_principal(void *server_handle, goto done; } if (have_pol) { -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - kdb, &last_pwd)) - goto done; - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else |