preserve original starttime on renewed TGTs
Jeffrey Altman
jaltman at secure-endpoints.com
Fri Nov 19 18:24:19 EST 2010
On 11/19/2010 5:01 PM, Nicolas Williams wrote:
> On Fri, Nov 19, 2010 at 04:43:42PM -0500, Simo Sorce wrote:
>> On Fri, 19 Nov 2010 13:21:34 -0800
>> Frank Cusack <frank+krb at linetwo.net> wrote:
>>
>>> When running 'kinit -R', the KDC resets the starttime on the returned
>>> TGT to "now". I'd like to modify my KDC to preserve the original
>>> starttime instead. That could make a renewed TGT appear to have
>>> longer than the normal maximum configured lifetime, but it seems like
>>> a fairly trivial non-problem. As opposed to a postdated ticket, this
>>> would be now be a predated ticket.
>>
>> Hi Frank,
>> I am curious to understand why you want to do that.
>> What class of use cases does it solve?
>
> My guess: it helps deal with servers whose clocks are a little bit
> behind (but still within skew).
I'm going to put my money on KCA issued short-lived certificates. The
certs are frequently issued with a period of validity from starttime to
max renew lifetime.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20101119/0618ef16/attachment.bin
More information about the krbdev
mailing list