Renewable service tickets
ghudson at MIT.EDU
Wed Jun 9 12:59:41 EDT 2010
Some optional background information from the kerberos at mit.edu list is
If you request a service ticket with krb5_get_credentials(), and you
have a renewable TGT, we currently request a renewable service ticket,
because KDC_TKT_COMMON_MASK includes KDC_OPT_RENEWABLE. There are
a few problems with this:
1. The caller has probably not filled in in_creds->times.renew_till,
and we have no default for this value in
krb5int_make_tgs_request_ext(), so we wind up transmitting an rtime
field of 0 in the TGS request. This is supposed to be an absolute
timestamp, so we aren't really making a sensical RFC 4120 request in
this case. MIT and Heimdal KDCs (and probably MS KDCs as well) will
do something intelligent with the zero value, but it's still a bad
practice. Of course, we could provide a default value for
renew_till in krb5int_make_tgs_request_ext().
2. Heimdal KDCs are weirdly restrictive when you request renewable
service tickets. They calculate a maximum end time by applying the
service principal's max renewal time to the TGT's original auth time
(this is probably fine, although not what the MIT KDC does), and
then squashes the ticket's validity end time to match the renewal
end time (this is not fine). As a result, a request for a renewable
service ticket can fail when a request for a non-renewable service
ticket would succeed.
3. It is a pretty dubious assumption that the caller has any
interest in a renewable service ticket. Jeff Altman pointed out
that the caller *could* sever the service ticket from the TGT and
pass it to some other process which could then renew it, but this is
pretty exotic behavior, and I'm confident that no one is doing so.
As evidence, I'll point out that krb5_get_renewed_creds() has been
broken for non-TGT ticket renewals for its entire lifetime up until
I fixed it on trunk on April 12. If we do find a reason to support
this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
application to explicitly request renewable service tickets (and
provide a default value for renew_till as noted in (1)).
KDC_TKT_COMMON_MASK is also used by krb5_fwd_tgt_creds() and
krb5_get_self_cred_from_kdc(). krb5_fwd_tgt_creds() properly sets
times.renew_till to the value from the TGT.
KDC_TKT_COMMON_MASK is a public constant in krb5.h, though I can't
imagine what use anyone outside the krb5 tree would have for it.
What I would like to do is make krb5_get_credentials() and
krb5_get_self_cred_from_kdc() not propagate the renewable flag from
the TGT. For the sake of conservatism, I'll propose adding a new mask
to lib/krb5/int-proto.h for use by those functions, and leaving
Comments are appreciated.
More information about the krbdev