From 826e2b129a1f3c450b2c8452b7fc6497b96316d5 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Mon, 6 Jan 2014 21:09:00 -0800
Subject: Fix wallet-rekey on keytabs containing multiple principals

Fix wallet-rekey on keytabs containing multiple principals.  Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded.  As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.

Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 460d475..a9305d7 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,14 @@
 
 wallet 1.1 (unreleased)
 
+    Fix wallet-rekey on keytabs containing multiple principals.  Previous
+    versions assumed one could concatenate keytab files together to make a
+    valid keytab file, which doesn't work with some Kerberos libraries.
+    This caused new keys downloaded for principals after the first to be
+    discarded.  As a side effect of this fix, wallet-rekey always appends
+    new keys directly to the existing keytab file, and never creates a
+    backup copy of that file.
+
     Fix the code to set enctype restrictions for keytab objects in the
     wallet server.
 
-- 
cgit v1.2.3