bug?: erroneous start time for max renewable life check

Jeffrey Altman jaltman at secure-endpoints.com
Tue Jun 8 07:25:06 EDT 2010


On 5/17/2010 7:37 PM, Richard Johnson wrote:
>
> The misbehavior:
>
> When a TGT with the Renewable flag set is used to obtain an ftp or host ticket
> on an MIT Kerberos client, that ftp or host service ticket also has the
> Renewable flag set.  I call this misbehavior as it seems nonsensical.  If an
> ftp or host service ticket is expired, a new one will be obtained; there's no
> need to make them renewable.

It would only be nonsensical if the assumption that the obtained service
ticket would never be used
without possession of the TGT.    A renewable service ticket permits
that ticket to be handed off
to a process which is meant to do a specific task (local or remote)
without the dangers inherent in
delegating a TGT.

Jeffrey Altman




More information about the Kerberos mailing list