Renewable tickets

Russell King rmk at
Mon Feb 2 12:05:58 EST 2004

On Mon, Feb 02, 2004 at 11:37:26AM -0500, Sam Hartman wrote:
> >>>>> "Russell" == Russell King <rmk at> writes:
>     Russell> Hi, I'm not sure if this is the correct place for this.
>     Russell> I'm experimenting with Kerberos 1.3.1 with pam as
>     Russell> packaged with Fedora Core 1 from Red Hat.  I'm seeing a
>     Russell> problem when trying to get renewable principals/tickets
>     Russell> working.
> Are they really using stock 1.3?  I'm fairly certain we fixed this bug
> late in the 1.3 release cycle before the release.

It appears to be based upon the 1.3.1 release - the gpg signature seems
to be confirm this (RH ship their source packages containing the original
tarball, and separate patch files for each modification they've made):

rmk at flint:[SOURCES]:<1027> gpg --verify krb5-1.3.1.tar.gz.asc krb5-1.3.1.tar.gz
gpg: Signature made Thu Jul 31 19:29:27 2003 BST using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu at MIT.EDU>"
gpg: please do a --check-trustdb
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55 24

Looking at the diffs between the files in this archive and with all the
Red Hat patches applied, I don't see anything which changes the behaviour
of the KDC in do_as_req.c.  krb5-1.3.1/src/lib/krb5/krb/get_in_tkt.c
doesn't contain any changes.

>     Russell> So:
>     Russell> - should the kerberos client library have a hardcoded
>     Russell> lifetime of one day?
> It certainly does.  There is not a krb5.conf parameter to adjust this
> (nor is there one documented) in the MIT code.

Neither is there one documented in the code I'm looking at.

>     Russell> - should the kerberos client libraries allow these
>     Russell> requests for renewable tickets with renewlife < lifetime?
> I don't see why not; it is a fairly strange request though.

That's my thinking as well - however, because of the hard-coded lifetime
in the library of 24 hours, and a smaller renewable lifetime in the
configuration, it appears to be a "normal" situation.  (Maybe this is
an example of a broken configuration?)

>     Russell> - should krb5kdc extend the renewable ticket lifetime if
>     Russell> it has shortened the returned ticket lifetime?
> If renewable_ok is set, yes.  That's what the spec says.

Ok.  However, verify_as_reply() in get_in_tkt() seems buggy:

        || ((request->kdc_options & KDC_OPT_RENEWABLE) &&
            (request->rtime != 0) &&
            (as_reply->enc_part2->times.renew_till > request->rtime))
        || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
            !(request->kdc_options & KDC_OPT_RENEWABLE) &&
            (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
            (request->till != 0) &&
            (as_reply->enc_part2->times.renew_till > request->till))
        return KRB5_KDCREP_MODIFIED;

If kdc_options had KDC_OPT_RENEWABLE set, and the returned ticket's
renew_till time is later than the requested rtime, then we error out
with KRB5_KDCREP_MODIFIED - and this is exactly what's happening for

Russell King
 Linux kernel    2.6 ARM Linux   -
 maintainer of:  2.6 PCMCIA      -
                 2.6 Serial core

More information about the krbdev mailing list