[krbdev.mit.edu #8993] PKINIT client cert notAfter has no effect on ticket endtime, but should
Nico Williams via RT
rt-comment at krbdev.mit.edu
Fri Mar 26 12:52:07 EDT 2021
Fri Mar 26 12:52:06 2021: Request 8993 was acted upon.
Transaction: Ticket created by nico at cryptonector.com
Queue: krb5
Subject: PKINIT client cert notAfter has no effect on ticket endtime, but should
Owner: Nobody
Requestors: nico at cryptonector.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8993 >
In a world where there are online CAs issuing client certificates it is
important to not allow the endtime of a ticket acquired with PKINIT to
extend past the notAfter of the client's certificate. Otherwise there
is the risk that a user can cycle a forever credential by using Kerberos
to acquire a client certificate and then the client certificate to
acquire a TGT, repeatedly getting a 10 hour (or whatever is configured)
extension, and thus avoiding the need to periodically engage in initial
[pre-]authentication.
This should apply to all pre-authentication methods where the method
involves expiring credentials, and indeed, it already applies to PA-TGS
for example.
Not applying the client certificate's notAfter to the issued ticket's
endtime is only a serious bug in environments that also operate online
CAs that issue client certificates good for PKINIT to clients
authenticated with Kerberos. In the context of as-originally-intended
deployment, this is not a serious bug.
More information about the krb5-bugs
mailing list