mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Prevent integer overflow when setting krbPasswordExpiration
Since in Kerberos V5 are used 32-bit unix timestamps, setting maxlife in pwpolicy to values such as 9999 days would cause integer overflow in krbPasswordExpiration attribute. This would result into unpredictable behaviour such as users not being able to log in after password expiration if password policy was changed (#3114) or new users not being able to log in at all (#3312). The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver. https://fedorahosted.org/freeipa/ticket/3312 https://fedorahosted.org/freeipa/ticket/3114
This commit is contained in:
Tomas Babej
committed by
Martin Kosek
Martin Kosek
parent
1d35043e46
commit
0e8a329048
@@ -27,6 +27,9 @@
|
||||
#define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
|
||||
#define IPAPWD_DEFAULT_MINLEN 0
|
||||
|
||||
/* 1 Jan 2038, 00:00 GMT */
|
||||
#define IPAPWD_END_OF_TIME 2145916800
|
||||
|
||||
/*
|
||||
* IMPORTANT: please update error string table in ipa_pwd.c if you change this
|
||||
* error code table.
|
||||
|
||||
Reference in New Issue
Block a user