Hello, I have noticed that passwords being changed via kpasswd (kpasswdd) in 1.6 keep old passwords in the database unconditionally.
Codewise it can be tracked down to this line in kpasswdd.c: === ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp); === The third argument (1) is the "keepold" flag, so it is clear there is no way to manage this behaviour from the configuration. Is there a reason this was done? I know --keepold support was added in 1.6, but making that the default for normal users seems a bit excessive since this creates an ever increasing backlog of old keys. I know of no way to clean up old keys short of setting a new password via kadmin where the --keepold flag is optional, and this is not really doable for normal users. Regards, Patrik Lundin