kpasswdd storing old keys unconditionally

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

kpasswdd storing old keys unconditionally

Patrik Lundin-2
Hello,

I have noticed that passwords being changed via kpasswd (kpasswdd) in
1.6 keep old passwords in the database unconditionally.

Codewise it can be tracked down to this line in kpasswdd.c:
===
ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp);
===

The third argument (1) is the "keepold" flag, so it is clear there is no
way to manage this behaviour from the configuration.

Is there a reason this was done? I know --keepold support was added in
1.6, but making that the default for normal users seems a bit excessive
since this creates an ever increasing backlog of old keys.

I know of no way to clean up old keys short of setting a new password
via kadmin where the --keepold flag is optional, and this is not really
doable for normal users.

Regards,
Patrik Lundin