Next: kadm5_get_principal
Up: Function Details
Previous: kadm5_modify_principal
Contents
The algorithm for determining whether a password is in the principal's
key history is complicated by the use of the kadmin/history K
encrypting key.
- For kadm5_chpass_principal, convert the password to a key
using string-to-key and the salt method specified by the command line
arguments.
- If the POLICY bit is set and pw_history_num is not zero, check
if the new key is in the history.
- Retrieve the principal's current key and decrypt it with K
.
If it is the same as the new key, return KADM5_PASS_REUSE.
- Retrieve the kadmin/history key K
and decrypt it with K
.
- Encrypt the principal's new key in K
.
- If the principal's new key encrypted in K
is in old_keys,
return KADM5_PASS_REUSE.
- Encrypt the principal's current key in K
and store it in
old_keys.
- Erase the memory containing K
.
- Encrypt the principal's new key in K
and store it in the
database.
- Erase the memory containing K
.
To store the an encrypted key in old_keys, insert it as the
old_key_next element of old_keys, and increment old_key_next by one
modulo pw_history_num.
Next: kadm5_get_principal
Up: Function Details
Previous: kadm5_modify_principal
Contents
Autobuild
2006-06-16