AS_REQ key expiration vs principal expiration checking order?

Tom Yu tlyu at MIT.EDU
Wed Jun 24 14:03:47 EDT 2009

Existing code in src/kdc_util.c (trunk and krb5-1.7, also probably
older releases), while validating the AS_REQ, checks for key
expiration before checking for client principal expiration.  There is
a bug report that the principal expiration condition should be
reported to the client in preference to the password expiration
condition, rather than the reverse ordering, which is what the code
currently does:

Does anyone recall a reason why we might deliberately use the existing
ordering for AS_REQ validation?  RFC 4120 and RFC 1510 do not specify
anything related to this behavior.

More information about the krbdev mailing list