[krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
The RT System itself via RT
rt-comment at krbdev.mit.edu
Wed Dec 10 13:44:12 EST 2003
>From kwc at babylon.citi.umich.edu Wed Dec 10 13:44:09 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id NAA02468; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from citi.umich.edu (citi.umich.edu [141.211.133.111])
by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id hBAIi8VA017297
for <krb5-bugs at mit.edu>; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from babylon.citi.umich.edu (babylon.citi.umich.edu [141.211.133.5])
(using TLSv1 with cipher EDH-DSS-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by citi.umich.edu (Postfix) with ESMTP id C9BB5207E5
for <krb5-bugs at mit.edu>; Wed, 10 Dec 2003 13:44:07 -0500 (EST)
Received: (from kwc at localhost)
by babylon.citi.umich.edu (8.12.10/8.12.10/Submit) id hBAIi6Is022321;
Wed, 10 Dec 2003 13:44:06 -0500
Date: Wed, 10 Dec 2003 13:44:06 -0500
Message-Id: <200312101844.hBAIi6Is022321 at babylon.citi.umich.edu>
To: krb5-bugs at mit.edu
Subject: K4 lifetime issues
From: kwc at citi.umich.edu
Reply-To: kwc at citi.umich.edu
Cc:
X-send-pr-version: 3.99
>Submitter-Id: net
>Originator: Kevin Coffman
>Organization:
University of Michigan -- CITI
>Confidential: no
>Synopsis: Problems with ticket lifetimes in K4
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
>Environment:
System: Linux babylon.citi.umich.edu 2.4.21-4.ELsmp #1 SMP Fri Oct 3 17:52:56 EDT 2003 i686 i686 i386 GNU/Linux
Architecture: i686
>Description:
Resetting the issue time confuses clients into thinking there is
a clock skew problem
A TGS request for unlimited lifetime results in an endtime of
0xffffffff.
>How-To-Repeat:
The default Windows OpenAFS client uses K4. It had problems getting
tokens with the adjustment of the issue time.
KTH/Heimdal code requests unlimited lifetime service tickets.
>Fix:
[ 61 ] rock/.../kdc% cvs diff -u -r MIT_1_3_1 kerberos_v4.c
Index: kerberos_v4.c
===================================================================
RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/krb5/src/kdc/kerberos_v4.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kerberos_v4.c
--- kerberos_v4.c 21 Jul 2003 20:28:38 -0000 1.1.1.3
+++ kerberos_v4.c 10 Dec 2003 18:15:15 -0000
@@ -743,6 +743,7 @@
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life(). XXX This frobs
@@ -750,6 +751,7 @@
*/
if (v4endtime > v4req_end)
kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif
#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
@@ -932,11 +934,21 @@
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
+#if defined(UMICH)
+ /*
+ * Even if they requested unlimited lifetime,
+ * it is still limited by the end of their TGT
+ */
+ if (v4req_end == 0xffffffff)
+ v4req_end = v4endtime;
+ else
+#endif
v4req_end = min(v4endtime, v4req_end);
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life(). XXX This frobs
@@ -944,6 +956,7 @@
*/
if (v4endtime > v4req_end)
kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif
/* unseal server's key from master key */
memcpy(key, &s_name_data.key_low, 4);
More information about the krb5-bugs
mailing list