[Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration
Rob Crittenden
rcritten at redhat.com
Tue Jan 15 20:53:36 UTC 2013
Dmitri Pal wrote:
> On 01/15/2013 08:48 AM, Simo Sorce wrote:
>> On Mon, 2013-01-14 at 16:46 +0100, Tomas Babej wrote:
>>> Hi,
>>>
>>> Since in Kerberos V5 are used 32-bit unix timestamps, setting
>>> maxlife in pwpolicy to values such as 9999 days would cause
>>> integer overflow in krbPasswordExpiration attribute.
>>>
>>> This would result into unpredictable behaviour such as users
>>> not being able to log in after password expiration if password
>>> policy was changed (#3114) or new users not being able to log
>>> in at all (#3312).
>>>
>>> https://fedorahosted.org/freeipa/ticket/3312
>>> https://fedorahosted.org/freeipa/ticket/3114
>> Given that we control the KDC LDAP driver I think we should not limit
>> the time in LDAP but rather 'fix-it-up' for the KDC in the DAL driver.
>
> Fix how? Truncate to max in the driver itself if it was entered beyond max?
> Shouldn't we also prevent entering the invalid value into the attribute?
>
I've been mulling the same question for a while. Why would we want to
let bad data get into the directory?
rob
More information about the Freeipa-devel
mailing list