RENEWABLE ticket with no renew_until
Weijun Wang
weijun.wang at oracle.com
Wed Aug 23 03:46:10 EDT 2017
I am doing a small experiment and noticed something interesting.
My KDC is configured with max_life = 30s and max_renewable_life = 1m. I use kinit and password to get a TGT, and then I renew it again and again with "kinit -R".
It looks normal in the first few calls as the expiration time increases and the renew until time keeps unchanged. Then when the expiration time is bigger than the renew until time, the renew until time does not show anymore. I checked the bits in the ticket and it is indeed missing. The ticket is still RENEWABLE.
Then I do a final renew and the KDC reports "Ticket expired". I think this is due to the check at
https://github.com/krb5/krb5/blob/master/src/kdc/tgs_policy.c#L234
This is not serious at all, but I wonder if the renew until time should not be removed at the 2nd last renew or the ticket should not be renewable, or it should not be rejected at the last renew.
Thanks
Max
More information about the krbdev
mailing list