AS-REQ with till being the epoch
Greg Hudson
ghudson at mit.edu
Tue Aug 29 10:59:13 EDT 2017
On 08/29/2017 09:38 AM, Weijun Wang wrote:
> It looks like if I set the till field in AS-REQ to the epoch, the issued ticket will have a very big endtime (Ex: now it's 2106-02-07 06:28:15 (UTC)).
I guess you have also configured the KDC not to have any ticket lifetime
limits, so the KDC winds up using kdc_infinity (2**32-1) as the ticket
end time.
If "set the till field in AS-REQ to the epoch" you mean the client is
sending "19700101000000Z" in the till field, this is technically a bug
since the client requested a never-valid ticket, not a ticket valid for
a long time. But it doesn't seem like an important bug, as you say.
> But if I call kvno with this TGT in ccache, I see a "Ticket expired while getting credentials" error. Maybe somewhere in the KDC that very big endtime is mistakenly treated as a very small number?
The y2038 changes on master are only intended to work up until times
near 2106, so this behavior isn't surprising. I suspect the KDC is
adding the clock skew (300) to 2**32-1 with 32-bit unsigned arithmetic,
producing a small number.
> The KRB-ERROR reply to TGS-REQ has a strange ctime: 1974-12-10
> 21:52:23 (UTC).
Apparently we set the KRB-ERROR ctime to the client nonce, for both AS
and TGS replies. I had no idea we did this; it is clearly broken, as
there is no good reason to believe that the client is using its system
time as the nonce. Even going back to RFC 1510, a random nonce is
recommended for KDC requests. I will fix it (by not setting the ctime
field).
More information about the krbdev
mailing list