diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-04 21:38:57 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-04 21:38:57 +0000 |
| commit | af5ee660dec2ef573366a0667526da66898158d7 (patch) | |
| tree | b11f2bd2061aa3580a46e97a53db71f804cffcf8 /src | |
| parent | 319d7ed2cf78f2a4afd0c2a18f0645ba1f375903 (diff) | |
| download | krb5-af5ee660dec2ef573366a0667526da66898158d7.tar.gz krb5-af5ee660dec2ef573366a0667526da66898158d7.tar.xz krb5-af5ee660dec2ef573366a0667526da66898158d7.zip | |
Fix password reuse check with cpw -keepold
When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.
ticket: 7110
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25801 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index f4715fbb1e..f77490fe18 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -972,6 +972,9 @@ check_pw_reuse(krb5_context context, assert (n_new_key_data >= 0); for (x = 0; x < (unsigned) n_new_key_data; x++) { + /* Check only entries with the most recent kvno. */ + if (new_key_data[x].key_data_kvno != new_key_data[0].key_data_kvno) + break; ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]), &newkey, NULL); if (ret) |