diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-10-27 15:05:56 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-10-28 17:18:03 -0400 |
commit | 4f8e4482b316cc5996986bdfae12cc27be27df5e (patch) | |
tree | 672d8bb2672dd5e18586bad3b48fbe612388f0ec /daemons/ipa-slapi-plugins | |
parent | 79c39339dae3d95db977bea153938bb2d7e98052 (diff) | |
download | freeipa-4f8e4482b316cc5996986bdfae12cc27be27df5e.tar.gz freeipa-4f8e4482b316cc5996986bdfae12cc27be27df5e.tar.xz freeipa-4f8e4482b316cc5996986bdfae12cc27be27df5e.zip |
pwd-plugin: Always use a special salt by default.
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c | 50 |
1 files changed, 22 insertions, 28 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 462622a5..527e178f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, case KRB5_KDB_SALTTYPE_NORMAL: - /* If pre auth is required we can set a random salt, otherwise - * we have to use a more conservative approach and set the salt - * to be REALMprincipal (the concatenation of REALM and principal - * name without any separator) */ -#if 0 - if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { - salt.length = KRB5P_SALT_SIZE; - salt.data = malloc(KRB5P_SALT_SIZE); - if (!salt.data) { - LOG_OOM(); - goto enc_error; - } - krberr = krb5_c_random_make_octets(krbctx, &salt); - if (krberr) { - LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } - } else { -#endif - krberr = krb5_principal2salt(krbctx, princ, &salt); - if (krberr) { - LOG_FATAL("krb5_principal2salt failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } -#if 0 + krberr = krb5_principal2salt(krbctx, princ, &salt); + if (krberr) { + LOG_FATAL("krb5_principal2salt failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; + } + break; + + case KRB5_KDB_SALTTYPE_SPECIAL: + + /* make random salt */ + salt.length = KRB5P_SALT_SIZE; + salt.data = malloc(KRB5P_SALT_SIZE); + if (!salt.data) { + LOG_OOM(); + goto enc_error; + } + krberr = krb5_c_random_make_octets(krbctx, &salt); + if (krberr) { + LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; } -#endif break; case KRB5_KDB_SALTTYPE_V4: |