preserve original starttime on renewed TGTs
Frank Cusack
frank+krb at linetwo.net
Fri Nov 19 16:21:34 EST 2010
When running 'kinit -R', the KDC resets the starttime on the returned
TGT to "now". I'd like to modify my KDC to preserve the original
starttime instead. That could make a renewed TGT appear to have longer
than the normal maximum configured lifetime, but it seems like a fairly
trivial non-problem. As opposed to a postdated ticket, this would be
now be a predated ticket.
This change would violate RFC 4120 par 3.3.3:
If the new ticket is to be a renewal, then the endtime above is
replaced by ... the starttime for the new ticket plus the life
(endtime-starttime) of the old ticket.
That is, the endtime would no longer be the starttime of the new
ticket plus the life of the old ticket.
But I don't see how it'd be a problem in practice. Note that the new
ticket would still have the correct lifetime.
Further renewals (ie, of the renewed ticket) would again violate this
section in that the KDC would not know the original ticket's lifetime
(it's no longer preserved in the renewed TGT presented to the KDC), so
it'd have to choose the lifetime based on the configured maximum
ticket lifetime. For most uses, where people/applications don't request
renewable tickets with shorter than maximum lifetimes, I submit that
this is not a problem.
Anyone think I am wrong and this violation of RFC 4120 3.3.3 would be a
problem? Or any other issues with this plan?
If I made it a configurable KDC option, would MIT be likely to accept
the patch?
More information about the krbdev
mailing list