[krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
Tom Yu via RT
rt-comment at krbdev.mit.edu
Wed Dec 10 21:45:42 EST 2003
>>>>> "kwc" == kwc at citi umich edu via RT <rt-comment at krbdev.mit.edu> writes:
kwc> 1) We have many Windows AFS clients which use the default
kwc> authentication code found there. This code, unlike all the
kwc> other AFS authentication code, uses K4 UDP instead of rx.
kwc> The AFS K4 code checks the issue time of the ticket it gets
kwc> back and compares it to its local time. If those times are
kwc> more than " clock skew" off, it fails with a clock skew error.
kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
kwc> the Windows AFS client to fail with a clock skew error.
The backwards adjustment of issue time is meant to expire the krb4
ticket at the same time as an equivalent krb4 ticket would expire. I
suppose we could round the lifetime down if necessary, though that
would cause tickets to expire much sooner than expected if you're in
the exponential lifetime region.
kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
kwc> requested lifetime is "unlimited" (0xff in the request). So
kwc> v4endtime becomes 0xffffffff. When this is used in the min()
kwc> functions, -1 is found to be the minimum. Thus a ticket with
kwc> an end time of 0xffffffff is returned. This lifetime should
kwc> be limited by the life of the TGT and the service's lifetime.
Are you mixing krb4 implementations? The version of
krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
for a requested lifetime of 0xff.
---Tom
More information about the krb5-bugs
mailing list