Skip Menu |
 

Subject: kadmind minimum life check fails for nonexistent policies
In kadmind, when a principal performs a self-service key change (randkey or
chpass), we look up the principal's policy and check the minimum password
lifetime. This check currently fails if the policy does not exist, which
contradicts the intent of #7385. We should relax check_min_life() to
succeed if kadm5_get_policy() returns KADM5_UNK_POLICY.

Reported by John Devitofranceschi.
From: ghudson@mit.edu
Subject: git commit

Fix kadmin min_life check with nonexistent policy

In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.

https://github.com/krb5/krb5/commit/5fca279ca4d18f1b5798847a98e7df8737d2eb7c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5fca279ca4d18f1b5798847a98e7df8737d2eb7c
Branch: master
src/kadmin/server/misc.c | 4 +++-
src/tests/t_policy.py | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix kadmin min_life check with nonexistent policy

In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.

(cherry picked from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)

https://github.com/krb5/krb5/commit/ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
Branch: krb5-1.14
src/kadmin/server/misc.c | 4 +++-
src/tests/t_policy.py | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix kadmin min_life check with nonexistent policy

In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.

(back ported from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)

https://github.com/krb5/krb5/commit/736521cfa04cf30ab7a6d57a75b267eed90a6593
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 736521cfa04cf30ab7a6d57a75b267eed90a6593
Branch: krb5-1.13
src/kadmin/server/misc.c | 4 +++-
src/tests/t_policy.py | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)