krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Enable checking:
maxrepeat - reject passwrods which contain more than N consecutive
characters.
maxsequence - rejected passwords which contain character sequences
(abcde).
dictcheck - check passwords using cracklib
usercheck - check whether the password contains the user name.
The class checking provided by libpwpolicy is not used because this
overlaps with the existing IPA checking. This includes the options
dcredit, ucredit, lcredit, ocredit, minclass and maxclassrepeat.
The pwquality min length is fixed at 6 so if there is a conflict between
the system policy and pwquality log that length is enforced at 6.
https://pagure.io/freeipa/issue/6964https://pagure.io/freeipa/issue/5948https://pagure.io/freeipa/issue/2445https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
"dirsrv/slapi-plugin.h" is unnecessary for build of ipa_pwd.
This patch allow us to move DIRSRV to daemon only dependencies
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312https://fedorahosted.org/freeipa/ticket/3114
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.
https://fedorahosted.org/freeipa/ticket/2067