[krbdev.mit.edu #5755] The KDC reports the principal expiration time rather than the key expiration time.
The RT System itself via RT
rt-comment at krbdev.mit.edu
Tue Sep 18 16:25:57 EDT 2007
>From krb5-bugs-incoming-bounces at PCH.MIT.EDU Tue Sep 18 16:25:51 2007
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id l8IKPpHW028510; Tue, 18 Sep 2007 16:25:51 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l8IKPk8H004662;
Tue, 18 Sep 2007 16:25:46 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l8IKMpFP003867
for <krb5-bugs-incoming at PCH.mit.edu>; Tue, 18 Sep 2007 16:22:51 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
l8IKMjDf004405
for <krb5-bugs at mit.edu>; Tue, 18 Sep 2007 16:22:45 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id E79407CD307
for <krb5-bugs at mit.edu>; Tue, 18 Sep 2007 16:22:40 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l8IKMeZb006311
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs at mit.edu>; Tue, 18 Sep 2007 16:22:40 -0400
Received: from rapier.boston.redhat.com (rapier.boston.redhat.com
[172.16.80.53])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l8IKMd2k025626
for <krb5-bugs at mit.edu>; Tue, 18 Sep 2007 16:22:39 -0400
Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1])
by rapier.boston.redhat.com (8.14.1/8.14.1) with ESMTP id
l8IKMdvE020292
for <krb5-bugs at mit.edu>; Tue, 18 Sep 2007 16:22:39 -0400
Received: (from nalin at localhost)
by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l8IKMd7i020291;
Tue, 18 Sep 2007 16:22:39 -0400
Date: Tue, 18 Sep 2007 16:22:39 -0400
Message-Id: <200709182022.l8IKMd7i020291 at rapier.boston.redhat.com>
To: krb5-bugs at mit.edu
Subject: kdc misreports key expiration time
From: Nalin Dahyabhai <nalin at redhat.com>
X-send-pr-version: 3.99
X-Spam-Score: 0.00
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 18 Sep 2007 16:25:45 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: Nalin Dahyabhai <nalin at redhat.com>
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: The KDC reports the principal expiration time rather than the key expiration time.
>Severity: non-critical
>Priority: low
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.6.2
>Environment:
System: Linux rapier.boston.redhat.com 2.6.21-1.3230.fc8 #1 SMP Wed Jun 20 15:59:23 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
>Description:
Sadique Puthen noted that he kept getting password expiration warnings
when his account was about to expire, and chased it down to the KDC.
>How-To-Repeat:
Set an entry in the KDC database to have no password expiration date,
but give it an entry expiration date in the near future.
>Fix:
This patch should match the behavior described in RFC4120:
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c (revision 19949)
+++ src/kdc/do_as_req.c (working copy)
@@ -372,7 +372,14 @@
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ if (client.expiration == 0) {
+ reply_encpart.key_exp = client.pw_expiration;
+ } else if (client.pw_expiration == 0) {
+ reply_encpart.key_exp = client.expiration;
+ } else {
+ reply_encpart.key_exp = client.pw_expiration < client.expiration ?
+ client.pw_expiration : client.expiration;
+ }
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
More information about the krb5-bugs
mailing list