Renewable service tickets

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Jun 9 12:59:41 EDT 2010 

Some optional background information from the kerberos at mit.edu list is
here:

http://mailman.mit.edu/pipermail/kerberos/2010-May/016190.html
http://mailman.mit.edu/pipermail/kerberos/2010-June/016258.html
http://mailman.mit.edu/pipermail/kerberos/2010-June/016267.html

If you request a service ticket with krb5_get_credentials(), and you
have a renewable TGT, we currently request a renewable service ticket,
because KDC_TKT_COMMON_MASK includes KDC_OPT_RENEWABLE.  There are
a few problems with this:

  1. The caller has probably not filled in in_creds->times.renew_till,
  and we have no default for this value in
  krb5int_make_tgs_request_ext(), so we wind up transmitting an rtime
  field of 0 in the TGS request.  This is supposed to be an absolute
  timestamp, so we aren't really making a sensical RFC 4120 request in
  this case.  MIT and Heimdal KDCs (and probably MS KDCs as well) will
  do something intelligent with the zero value, but it's still a bad
  practice.  Of course, we could provide a default value for
  renew_till in krb5int_make_tgs_request_ext().

  2. Heimdal KDCs are weirdly restrictive when you request renewable
  service tickets.  They calculate a maximum end time by applying the
  service principal's max renewal time to the TGT's original auth time
  (this is probably fine, although not what the MIT KDC does), and
  then squashes the ticket's validity end time to match the renewal
  end time (this is not fine).  As a result, a request for a renewable
  service ticket can fail when a request for a non-renewable service
  ticket would succeed.

  3. It is a pretty dubious assumption that the caller has any
  interest in a renewable service ticket.  Jeff Altman pointed out
  that the caller *could* sever the service ticket from the TGT and
  pass it to some other process which could then renew it, but this is
  pretty exotic behavior, and I'm confident that no one is doing so.
  As evidence, I'll point out that krb5_get_renewed_creds() has been
  broken for non-TGT ticket renewals for its entire lifetime up until
  I fixed it on trunk on April 12.  If we do find a reason to support
  this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
  application to explicitly request renewable service tickets (and
  provide a default value for renew_till as noted in (1)).

KDC_TKT_COMMON_MASK is also used by krb5_fwd_tgt_creds() and
krb5_get_self_cred_from_kdc().  krb5_fwd_tgt_creds() properly sets
times.renew_till to the value from the TGT.

KDC_TKT_COMMON_MASK is a public constant in krb5.h, though I can't
imagine what use anyone outside the krb5 tree would have for it.

What I would like to do is make krb5_get_credentials() and
krb5_get_self_cred_from_kdc() not propagate the renewable flag from
the TGT.  For the sake of conservatism, I'll propose adding a new mask
to lib/krb5/int-proto.h for use by those functions, and leaving
KDC_TKT_COMMON_MASK alone.

Comments are appreciated.

More information about the krbdev mailing list