Prevent integer overflow when setting krbPasswordExpiration

Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114
author: Tomas Babej <tbabej@redhat.com> 2013-01-14 10:19:44 -0500
committer: Martin Kosek <mkosek@redhat.com> 2013-02-08 15:54:34 +0100
commit: 4d17b7217256996c51b579504f47b9d1ef037f04 (patch)
tree: 7e06d1708f4313cecefa7845a366f6371e1421d8 /util
parent: c2f1fdf93105e8956f876048c30d5668f1c5e521 (diff)
download: freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.tar.gz
freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.tar.xz
freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 00de889f..a6990cac 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,9 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/* 1 Jan 2038, 00:00 GMT */
+#define IPAPWD_END_OF_TIME 2145916800
+
 /*
  * IMPORTANT: please update error string table in ipa_pwd.c if you change this
  * error code table.
author	Tomas Babej <tbabej@redhat.com>	2013-01-14 10:19:44 -0500
committer	Martin Kosek <mkosek@redhat.com>	2013-02-08 15:54:34 +0100
commit	4d17b7217256996c51b579504f47b9d1ef037f04 (patch)
tree	7e06d1708f4313cecefa7845a366f6371e1421d8 /util
parent	c2f1fdf93105e8956f876048c30d5668f1c5e521 (diff)
download	freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.tar.gz freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.tar.xz freeipa.git-4d17b7217256996c51b579504f47b9d1ef037f04.zip