Try all history keys to decrypt password history A database created prior to 1.3 will have multiple password history keys, and kadmin prior to 1.8 won't necessarily choose the first one. So if there are multiple keys, we have to try them all. If none of the keys can decrypt a password history entry, don't fail the password change operation; it's not worth it without positive evidence of password reuse. (back ported from commit 2782e80a12bccd920fa71e23166ac97c4470a637) https://github.com/krb5/krb5/commit/992f1fa3e4af37bb26c94e946cd6eb9c9966e59b Author: Tom Yu Commit: 992f1fa3e4af37bb26c94e946cd6eb9c9966e59b Branch: krb5-1.8 src/lib/kadm5/server_internal.h | 6 +++- src/lib/kadm5/srv/server_kdb.c | 54 ++++++++++++++++++++++++------------- src/lib/kadm5/srv/svr_principal.c | 47 +++++++++++++++---------------- 3 files changed, 62 insertions(+), 45 deletions(-)