diff options
| author | Peter Shoults <Peter.Shoults@Sun.COM> | 2010-04-26 13:42:14 -0400 |
|---|---|---|
| committer | Peter Shoults <Peter.Shoults@Sun.COM> | 2010-04-26 13:42:14 -0400 |
| commit | 661b8ac7d0f039c645db17e87130c2c1eebeda1c (patch) | |
| tree | f1fc00a3846b3b6b5a86213d5cc7f1ae14fc404d /usr/src | |
| parent | c3f63b71e46d1e718f2b8e17c914bf629a1fe9c5 (diff) | |
| download | illumos-joyent-661b8ac7d0f039c645db17e87130c2c1eebeda1c.tar.gz | |
6885914 KDC doesn't enforce the password min-age policy
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/krb5/kadmin/server/misc.c | 80 | ||||
| -rw-r--r-- | usr/src/cmd/krb5/kadmin/server/misc.h | 6 | ||||
| -rw-r--r-- | usr/src/lib/krb5/kadm5/admin.h | 7 | ||||
| -rw-r--r-- | usr/src/lib/krb5/kadm5/srv/mapfile-vers | 4 | ||||
| -rw-r--r-- | usr/src/lib/krb5/kadm5/srv/svr_principal.c | 74 |
5 files changed, 88 insertions, 83 deletions
diff --git a/usr/src/cmd/krb5/kadmin/server/misc.c b/usr/src/cmd/krb5/kadmin/server/misc.c index 40965ed1db..9bdd12ed74 100644 --- a/usr/src/cmd/krb5/kadmin/server/misc.c +++ b/usr/src/cmd/krb5/kadmin/server/misc.c @@ -1,9 +1,7 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ - /* * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING * @@ -21,7 +19,6 @@ * */ - /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -30,6 +27,7 @@ #include <k5-int.h> #include <krb5/kdb.h> #include <kadm5/server_internal.h> +#include <kadm5/admin.h> #include "misc.h" /* @@ -67,7 +65,8 @@ chpass_principal_wrapper_3(void *server_handle, { kadm5_ret_t ret; - ret = check_min_life(server_handle, principal, NULL, 0); + /* Solaris Kerberos */ + ret = kadm5_check_min_life(server_handle, principal, NULL, 0); if (ret) return ret; @@ -110,7 +109,8 @@ randkey_principal_wrapper_3(void *server_handle, { kadm5_ret_t ret; - ret = check_min_life(server_handle, principal, NULL, 0); + /* Solaris Kerberos */ + ret = kadm5_check_min_life(server_handle, principal, NULL, 0); if (ret) return ret; return kadm5_randkey_principal_3(server_handle, principal, @@ -125,7 +125,8 @@ schpw_util_wrapper(void *server_handle, krb5_principal princ, { kadm5_ret_t ret; - ret = check_min_life(server_handle, princ, msg_ret, msg_len); + /* Solaris Kerberos */ + ret = kadm5_check_min_life(server_handle, princ, msg_ret, msg_len); if (ret) return ret; @@ -140,71 +141,10 @@ randkey_principal_wrapper(void *server_handle, krb5_principal princ, { kadm5_ret_t ret; - ret = check_min_life(server_handle, princ, NULL, 0); + /* Solaris Kerberos */ + ret = kadm5_check_min_life(server_handle, princ, NULL, 0); if (ret) return ret; return kadm5_randkey_principal(server_handle, princ, keys, n_keys); } - -kadm5_ret_t -check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len) -{ - krb5_int32 now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - kadm5_server_handle_t handle = server_handle; - - if (msg_ret != NULL) - *msg_ret = '\0'; - - ret = krb5_timeofday(handle->context, &now); - if (ret) - return ret; - - ret = kadm5_get_principal(handle->lhandle, principal, - &princ, KADM5_PRINCIPAL_NORMAL_MASK); - if(ret) - return ret; - if(princ.aux_attributes & KADM5_POLICY) { - if((ret=kadm5_get_policy(handle->lhandle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; - } - if((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - if (msg_ret != NULL) { - time_t until; - char *time_string, *ptr, *errstr; - - until = princ.last_pwd_change + pol.pw_min_life; - - time_string = ctime(&until); - errstr = (char *)error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); - - if (strlen(errstr) + strlen(time_string) >= msg_len) { - *errstr = '\0'; - } else { - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') - *ptr = '\0'; - sprintf(msg_ret, errstr, time_string); - } - } - - (void) kadm5_free_policy_ent(handle->lhandle, &pol); - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return KADM5_PASS_TOOSOON; - } - - ret = kadm5_free_policy_ent(handle->lhandle, &pol); - if (ret) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; - } - } - - return kadm5_free_principal_ent(handle->lhandle, &princ); -} diff --git a/usr/src/cmd/krb5/kadmin/server/misc.h b/usr/src/cmd/krb5/kadmin/server/misc.h index 2e3cacc468..eb52911798 100644 --- a/usr/src/cmd/krb5/kadmin/server/misc.h +++ b/usr/src/cmd/krb5/kadmin/server/misc.h @@ -1,6 +1,5 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _MISC_H @@ -55,9 +54,6 @@ schpw_util_wrapper(void *server_handle, krb5_principal princ, char *new_pw, char **ret_pw, char *msg_ret, unsigned int msg_len); -kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len); - kadm5_ret_t kadm5_get_principal_v1(void *server_handle, krb5_principal principal, kadm5_principal_ent_t_v1 *ent); diff --git a/usr/src/lib/krb5/kadm5/admin.h b/usr/src/lib/krb5/kadm5/admin.h index 90f582e843..63c2129bdb 100644 --- a/usr/src/lib/krb5/kadm5/admin.h +++ b/usr/src/lib/krb5/kadm5/admin.h @@ -1,6 +1,5 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef __KADM5_ADMIN_H__ @@ -433,6 +432,10 @@ kadm5_ret_t kadm5_lock(void *server_handle); kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); kadm5_ret_t kadm5_destroy(void *server_handle); +kadm5_ret_t kadm5_check_min_life(void *server_handle, /* Solaris Kerberos */ + krb5_principal principal, + char *msg_ret, + unsigned int msg_len); kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t ent, long mask, char *pass); diff --git a/usr/src/lib/krb5/kadm5/srv/mapfile-vers b/usr/src/lib/krb5/kadm5/srv/mapfile-vers index 0ca0e6eb17..1249ea45dd 100644 --- a/usr/src/lib/krb5/kadm5/srv/mapfile-vers +++ b/usr/src/lib/krb5/kadm5/srv/mapfile-vers @@ -18,8 +18,7 @@ # # CDDL HEADER END # -# Copyright 2009 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. +# Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. # # @@ -59,6 +58,7 @@ SUNWprivate_1.1 { hist_kvno; hist_princ; init_dict; + kadm5_check_min_life; kadm5_chpass_principal; kadm5_chpass_principal_3; kadm5_chpass_principal_util; diff --git a/usr/src/lib/krb5/kadm5/srv/svr_principal.c b/usr/src/lib/krb5/kadm5/srv/svr_principal.c index f02deb362b..052f3c80c5 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_principal.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_principal.c @@ -1,9 +1,7 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ - /* * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING * @@ -21,7 +19,6 @@ * */ - /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -42,6 +39,9 @@ static char *rcsid = "$Header$"; #include <string.h> #include <stdarg.h> #include <stdlib.h> +#include <k5-int.h> +#include <kadm5/server_internal.h> +#include <kadm5/admin.h> #ifdef USE_PASSWORD_SERVER #include <sys/wait.h> #endif @@ -1350,6 +1350,10 @@ kadm5_chpass_principal_3(void *server_handle, CHECK_HANDLE(server_handle); + /* Solaris Kerberos - kadm5_check_min_life checks for null principal. */ + ret = kadm5_check_min_life(server_handle,principal,NULL,0); + if (ret) + return (ret); krb5_clear_error_message(handle->context); hist_added = 0; @@ -2194,3 +2198,65 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, return KADM5_OK; } +/* Solaris Kerberos */ +kadm5_ret_t +kadm5_check_min_life(void *server_handle, krb5_principal principal, + char *msg_ret, unsigned int msg_len) +{ + krb5_int32 now; + kadm5_ret_t ret; + kadm5_policy_ent_rec pol; + kadm5_principal_ent_rec princ; + kadm5_server_handle_t handle = server_handle; + + if (msg_ret != NULL) + *msg_ret = '\0'; + + ret = krb5_timeofday(handle->context, &now); + if (ret) + return ret; + + ret = kadm5_get_principal(handle->lhandle, principal, + &princ, KADM5_PRINCIPAL_NORMAL_MASK); + if(ret) + return ret; + if(princ.aux_attributes & KADM5_POLICY) { + if((ret=kadm5_get_policy(handle->lhandle, + princ.policy, &pol)) != KADM5_OK) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; + } + if((now - princ.last_pwd_change) < pol.pw_min_life && + !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + if (msg_ret != NULL) { + time_t until; + char *time_string, *ptr, *errstr; + + until = princ.last_pwd_change + pol.pw_min_life; + + time_string = ctime(&until); + errstr = (char *)error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); + + if (strlen(errstr) + strlen(time_string) >= msg_len) { + *errstr = '\0'; + } else { + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') + *ptr = '\0'; + sprintf(msg_ret, errstr, time_string); + } + } + + (void) kadm5_free_policy_ent(handle->lhandle, &pol); + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return KADM5_PASS_TOOSOON; + } + + ret = kadm5_free_policy_ent(handle->lhandle, &pol); + if (ret) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; + } + } + + return kadm5_free_principal_ent(handle->lhandle, &princ); +} |