Request to change MIT Kerberos behavior when principal is expired, deleted or password changed

Roland C. Dowdeswell elric at imrryr.org
Sat Mar 8 07:30:37 EST 2014 

On Fri, Mar 07, 2014 at 04:45:12PM -0800, Russ Allbery wrote:
>

> Yeah, I don't think we could enable the password change invalidation here.
> It's a neat idea, and it's a clear win from a security perspective, but
> it's one of those things that devilishly hard to explain to users.  Most
> users aren't even aware they *have* a Kerberos ticket cache; it's some
> detail that software manages for them.  So when it suddenly breaks, it's
> hopelessly confusing to them.

I actually object to invalidating tickets on passwd change.  I do
not think that it is a clear win at all but rather it is bundling
two disjoint actions together which should continue to be disjoint.
(Granted one of those actions: ``invalidate all outstanding tickets''
hasn't been implemented---but if it were, I would argue that it
should be a separate action.)

To put it a different way, when would you want to invalidate all
outstanding tickets for a principal?  When would you want them to
change their passwd? I think that the answers to these two questions
are actually different and so it would be actively counterproductive
to bind them together.

And quite frankly, I'd rather not see ``You have changed your
passwd, please log out and log back in to all active sessions''.
This is one of the problems that Kerberos is supposed to solve not
create.

An example that might be instructive, would be to walk through a
not too atypical example of what someone might be trying to do with
Kerberos.  Let's say that I want to run a long simulation which
takes a few days and so I dutifully obtain a TGT which is renewable
for the appropriate amount of time with which I can run the
simulation.  Now, I haven't checked when my passwd policy requires
a passwd change but let's say it occurs during the course of said
simulation.  I do not think that it is reasonable for my simulation
to fail if I change my passwd without going to all of the machines
where the simulation has a ccache and run kinit after the passwd
change.  In fact, I don't even see how I could do it without a race
condition unless I can pause the simulation and so on.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the Kerberos mailing list