Renewable tickets

Russell King rmk at arm.linux.org.uk
Sun Feb 1 15:30:52 EST 2004 

Hi,

I'm not sure if this is the correct place for this.  I'm experimenting
with Kerberos 1.3.1 with pam as packaged with Fedora Core 1 from Red Hat.
I'm seeing a problem when trying to get renewable principals/tickets
working.

On client machines, I have:

[libdefaults]
 ticket_lifetime = 24000

[appdefaults]
  pam = {
   ...
   ticket_lifetime = 24000
   renew_lifetime = 24000
  }

When I try to log in, an AS_REQ is sent to the server with the following
parameters:

	kdc_options = 0x40800010 (Forwardable, renewable, renewable_ok)
	from  = 1075656779
	till  = 1075743179 (from + 1 day)
	rtime = 1075680779 (from + 24000, 6h40)

I'm not certain whether this is correct or not - it looks wrong to
my understanding of these parameters.  (What's the point in having a
renewable ticket whose renewable lifetime is less than the requested
lifetime of the ticket.)  It seems that the requested renew time
comes from the configuration file, and the requested ticket lifetime
comes from a hard-coded constant within the kerberos libraries -
see krb5_get_init_creds(): "request.till += 24*60*60;"

Ok, now on to what happens.  The reply from the KDC appears to contain
a ticket with the following parameters:

	starttime  = 1075656779
	endtime    = 1075710779 (starttime + 15hrs)
	renew_till = 1075743179 (starttime + 1day)

The krbtgt/realm principal has a maxlife of 1 day and renewlife of 7 days.
The users principal has the same parameters.

Since renew_till in the reply is later than the requested rtime,
verify_as_reply fails with KRB5_KDCREP_MODIFIED.

Looking at process_as_req() this seems to be what is intended, but it
doesn't look right - it seems to be this which is creating this problem:

    until = (request->till == 0) ? kdc_infinity : request->till;
                                                                                
    enc_tkt_reply.times.endtime =
        min(until,
            min(enc_tkt_reply.times.starttime + client.max_life,
                min(enc_tkt_reply.times.starttime + server.max_life,
                    enc_tkt_reply.times.starttime + max_life_for_realm)));
                                                                                
    if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
        !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
        (enc_tkt_reply.times.endtime < request->till)) {
                                                                                
        /* we set the RENEWABLE option for later processing */
                                                                                
        setflag(request->kdc_options, KDC_OPT_RENEWABLE);
        request->rtime = request->till;
    }
    rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;

This appears to allow request->rtime to be extended if request->till is
later than rtime... which then causes verify_as_reply() to fail.

So:

- should the kerberos client library have a hardcoded lifetime
  of one day?

- should the kerberos client libraries allow these requests for
  renewable tickets with renewlife < lifetime?

- should krb5kdc extend the renewable ticket lifetime if it has
  shortened the returned ticket lifetime?

Thanks.

-- 
Russell King
 Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
 maintainer of:  2.6 PCMCIA      - http://pcmcia.arm.linux.org.uk/
                 2.6 Serial core

More information about the krbdev mailing list