krb5/krb5-1.8-key_exp.patch

Sadique Puthen notes that the warning on the client side seems to be correspond
to the wrong attribute on the KDC.  Do what RFC4120 says we should do.  RT#5755.

diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c
--- krb5-1.8/src/kdc/do_as_req.c.key_exp	2010-02-16 17:21:08.000000000 -0500
+++ krb5-1.8/src/kdc/do_as_req.c	2010-03-05 11:02:06.000000000 -0500
@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr
         goto errout;
     }
     reply_encpart.nonce = request->nonce;
-    reply_encpart.key_exp = client.expiration;
+    if (client.expiration == 0) {
+       reply_encpart.key_exp = client.pw_expiration;
+    } else if (client.pw_expiration == 0) {
+       reply_encpart.key_exp = client.expiration;
+    } else {
+       reply_encpart.key_exp = client.pw_expiration < client.expiration ?
+                               client.pw_expiration : client.expiration;
+    }
     reply_encpart.flags = enc_tkt_reply.flags;
     reply_encpart.server = ticket_reply.server;
- test patch for password expiration reporting 2007-07-26 19:06:51 +00:00			`Sadique Puthen notes that the warning on the client side seems to be correspond`
- note RT numbers for reference - include but don't apply the other suggested patch for kpasswd-doesn't-use-tcp 2008-01-23 18:27:03 +00:00			`to the wrong attribute on the KDC. Do what RFC4120 says we should do. RT#5755.`
- update to 1.8 - temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM 2010-03-05 22:19:38 +00:00
			`diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c`
			`--- krb5-1.8/src/kdc/do_as_req.c.key_exp 2010-02-16 17:21:08.000000000 -0500`
			`+++ krb5-1.8/src/kdc/do_as_req.c 2010-03-05 11:02:06.000000000 -0500`
			`@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr`
			`goto errout;`
- test patch for password expiration reporting 2007-07-26 19:06:51 +00:00			`}`
			`reply_encpart.nonce = request->nonce;`
			`- reply_encpart.key_exp = client.expiration;`
- Do what the rfc says we should do, rather than what the error message suggests we're doing. 2007-09-04 16:34:44 +00:00			`+ if (client.expiration == 0) {`
			`+ reply_encpart.key_exp = client.pw_expiration;`
			`+ } else if (client.pw_expiration == 0) {`
			`+ reply_encpart.key_exp = client.expiration;`
			`+ } else {`
- wow, fix a syntax error 2008-02-12 21:03:29 +00:00			`+ reply_encpart.key_exp = client.pw_expiration < client.expiration ?`
- Do what the rfc says we should do, rather than what the error message suggests we're doing. 2007-09-04 16:34:44 +00:00			`+ client.pw_expiration : client.expiration;`
			`+ }`
- test patch for password expiration reporting 2007-07-26 19:06:51 +00:00			`reply_encpart.flags = enc_tkt_reply.flags;`
			`reply_encpart.server = ticket_reply.server;`