[krbdev.mit.edu #2058] Problems with ticket lifetimes in K4

The RT System itself via RT rt-comment at krbdev.mit.edu
Wed Dec 10 13:44:12 EST 2003


>From kwc at babylon.citi.umich.edu  Wed Dec 10 13:44:09 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id NAA02468; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from citi.umich.edu (citi.umich.edu [141.211.133.111])
	by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id hBAIi8VA017297
	for <krb5-bugs at mit.edu>; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from babylon.citi.umich.edu (babylon.citi.umich.edu [141.211.133.5])
	(using TLSv1 with cipher EDH-DSS-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by citi.umich.edu (Postfix) with ESMTP id C9BB5207E5
	for <krb5-bugs at mit.edu>; Wed, 10 Dec 2003 13:44:07 -0500 (EST)
Received: (from kwc at localhost)
	by babylon.citi.umich.edu (8.12.10/8.12.10/Submit) id hBAIi6Is022321;
	Wed, 10 Dec 2003 13:44:06 -0500
Date: Wed, 10 Dec 2003 13:44:06 -0500
Message-Id: <200312101844.hBAIi6Is022321 at babylon.citi.umich.edu>
To: krb5-bugs at mit.edu
Subject: K4 lifetime issues 
From: kwc at citi.umich.edu
Reply-To: kwc at citi.umich.edu
Cc: 
X-send-pr-version: 3.99


>Submitter-Id:	net
>Originator:	Kevin Coffman
>Organization:
	University of Michigan -- CITI
>Confidential:	no
>Synopsis:	Problems with ticket lifetimes in K4
>Severity:	serious
>Priority:	medium
>Category:	krb5-kdc
>Class:		sw-bug
>Release:	krb5-1.3.1
>Environment:
	
System: Linux babylon.citi.umich.edu 2.4.21-4.ELsmp #1 SMP Fri Oct 3 17:52:56 EDT 2003 i686 i686 i386 GNU/Linux
Architecture: i686

>Description:
	Resetting the issue time confuses clients into thinking there is
	a clock skew problem

	A TGS request for unlimited lifetime results in an endtime of
	0xffffffff.

>How-To-Repeat:
	The default Windows OpenAFS client uses K4.  It had problems getting
	tokens with the adjustment of the issue time.

	KTH/Heimdal code requests unlimited lifetime service tickets.
>Fix:

[ 61 ] rock/.../kdc% cvs diff -u  -r MIT_1_3_1 kerberos_v4.c
Index: kerberos_v4.c
===================================================================
RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/krb5/src/kdc/kerberos_v4.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kerberos_v4.c
--- kerberos_v4.c       21 Jul 2003 20:28:38 -0000      1.1.1.3
+++ kerberos_v4.c       10 Dec 2003 18:15:15 -0000
@@ -743,6 +743,7 @@
            v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
            lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
            v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
            /*
             * Adjust issue time backwards if necessary, due to
             * roundup in krb_time_to_life().  XXX This frobs
@@ -750,6 +751,7 @@
             */
            if (v4endtime > v4req_end)
                kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif
 
 #ifdef NOENCRYPTION
            memset(session_key, 0, sizeof(C_Block));
@@ -932,11 +934,21 @@
            /* Bound requested lifetime with service and user */
            v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
            v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
+#if defined(UMICH)
+           /*
+            * Even if they requested unlimited lifetime,
+            * it is still limited by the end of their TGT
+            */
+           if (v4req_end == 0xffffffff)
+               v4req_end = v4endtime;
+           else
+#endif
            v4req_end = min(v4endtime, v4req_end);
            v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
 
            lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
            v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
            /*
             * Adjust issue time backwards if necessary, due to
             * roundup in krb_time_to_life().  XXX This frobs
@@ -944,6 +956,7 @@
             */
            if (v4endtime > v4req_end)
                kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif
 
            /* unseal server's key from master key */
            memcpy(key,                &s_name_data.key_low,  4);


More information about the krb5-bugs mailing list