bug?: erroneous start time for max renewable life check
Richard Johnson
rjohnson+kerberos at ucar.edu
Wed Jun 9 16:49:15 EDT 2010
[resend with proper tagged From address]
On Wed, Jun 09, 2010 at 12:15:36PM -0400, Greg Hudson wrote:
> I think the most practical fix for your problem is to make the Heimdal
> KDC more forgiving--it should not squash the validity end time of the
> ticket simply because it calculated a lower maximum renewable end time.
Thanks for the more precise ID of the problem. The Heimdal KDC should
probably use a more reasonable start time if it's going to calculate
lifetimes.
> If I were a Heimdal developer, I'd propose removing this line from
> krb5tgs.c:
>
> et.endtime = min(et.endtime, *et.renew_till);
Thanks. I'll test it and pursue that fix or a similar one.
> I'm certainly happy to change the MIT krb5 client code to not request
> renewable service tickets, and I'll bring that up on the krbdev list.
> But it's much easier to change your KDC than to change your OS-native
> client code on every client.
Jeffrey Altman pointed out that my assumption of always having the TGT
around when using the ftp service ticket is incorrect. Having a renewable
service ticket without requiring keeping/passing around the TGT can be
safer, and I'd thus be hesitant to have others lose that option.
Richard
More information about the Kerberos
mailing list