From 367ccd2fcf8b4adb82bfc7ef9b5f04ff94f80326 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 29 Jan 2025 00:22:57 -0500
Subject: [PATCH] Allow only one salt type per enctype in key data

In the default libkdb5 password change method, omit requested key/salt
combinations that duplicate an earlier encryption type, even if they
have a different salt type.  Any use cases for multiple salts for the
same enctype disappeared with single-DES support.  (We already have
this behavior for chrand requests.)

ticket: 9160 (new)
---
 src/lib/kdb/kdb_cpw.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index c33c7cf8d0..8b012e19ef 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -264,8 +264,7 @@ add_key_pwd(krb5_context context, krb5_keyblock *master_key,
                                                  &similar)))
                 return(retval);
 
-            if (similar &&
-                (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
+            if (similar)
                 break;
         }
 
-- 
2.47.2