[krbdev.mit.edu #8609] Renewed tickets can be marked renewable with no renewable endtime
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Aug 24 00:02:57 EDT 2017
Commit 4f551a7ec126c52ee1f8fea4c3954015b70987bd (ticket 7661) tries to
issue renewable tickets only if the computed renewable end time is
greater than the computed end time. The design assumption is that the
renewable bit in the returned ticket is only ever set by the last
conditional in kdc_get_ticket_renewtime().
However, for a renewed ticket, the assignment "enc_tkt_reply = *
(header_ticket->enc_part2);" sets the renewable bit in
enc_tkt_reply.flags (since it was necessarily set in header_ticket-
>enc_part2->flags). So if the resulting ticket isn't determined to be
renewable, the renewable flag is set but renew_till is 0. This was
reported by Weijun Wang.
The simple fix is to clear the renewable flag at the beginning of
kdc_get_ticket_renewtime() where we clear renew_till.
We might also reconsider whether it is better to issue trivially
renewable tickets (renew_till == till) instead of non-renewable
tickets, assuming the client asked for a renewable ticket. We
received one complaint after #7661 because a script started getting
failures trying to renew a non-renewable ticket:
http://mailman.mit.edu/pipermail/kerberos/2015-August/020926.html
More information about the krb5-bugs
mailing list