[krbdev.mit.edu #2655] krb5_get_init_creds() allows renew_until time < expiration time
Alexandra Ellwood via RT
rt-comment at krbdev.mit.edu
Thu Aug 5 17:47:40 EDT 2004
krb5_get_init_creds() should not allow ticket requests where the renew_until time is less
than the ticket expiration time. This can easily happen if the user has a default
renew_lifetime in libdefaults.
For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the
ticket expiration time without explicitly doing anything stupid.
I believe a correct way to fix this is to add a check so that if this case happens,
krb5_get_init_creds() sets the renew_until time to the larger lifetime. Ie:
if (request.rtime < request.till) {
request.rtime = request.till;
}
More information about the krb5-bugs
mailing list