MIT Kerberos TGT forwarding + renewal bug?
Eric Andresen
eandres at mars.asu.edu
Fri Aug 13 13:40:58 EDT 2004
Hi,
I recently discovered a rather stickly issue regarding ticket
forwarding. Mainly, if I ssh (using GSSAPI TGT delegation forwarding)
to another machine when the initial TGT was halfway through its
initial lifetime, let's say 30minutes for example, my resultant TGT on
the remote machine has a validity starttime of $now, and expiretime of
$expire, as expected.
The problem is that when you perform a 'kinit -R' on that remote
system, the maximum lifetime you'll receive as renewed is the delta
between those two values, in this case, 15 minutes.
I would personally expect a renewal to give me the full 30 minutes,
but it does not. This proves to be problematic as you get closer to
your expiration time, since it's quite possible to end up forwarding a
ticket with 1 minute left on it, and not being able to do anything
with it since it won't ever live longer than 1 minute before needing a
renewal.
I'm trying to track down a way to fix this in the source, but I'm not
sure what the cleanest way to do it would be... I see that the
krb5_ticket_times struct has both a 'authtime' and 'starttime', and
'starttime' is marked as optional. Does this mean that if starttime
was kept from the initial TGT that the renewals would work as I
expect, or do renewals use 'endtime-authtime'?
Thanks,
--
Eric Andresen
Systems Administrator
Mars Space Flight Facility
Arizona State University
eandres at mars.asu.edu
More information about the Kerberos
mailing list