preserve original starttime on renewed TGTs
Frank Cusack
frank+krb at linetwo.net
Fri Nov 19 20:20:23 EST 2010
On 11/19/10 4:43 PM -0500 Simo Sorce wrote:
> On Fri, 19 Nov 2010 13:21:34 -0800
> Frank Cusack <frank+krb at linetwo.net> wrote:
>
>> When running 'kinit -R', the KDC resets the starttime on the returned
>> TGT to "now". I'd like to modify my KDC to preserve the original
>> starttime instead. That could make a renewed TGT appear to have
>> longer than the normal maximum configured lifetime, but it seems like
>> a fairly trivial non-problem. As opposed to a postdated ticket, this
>> would be now be a predated ticket.
>
> Hi Frank,
> I am curious to understand why you want to do that.
> What class of use cases does it solve?
I would like an application to be able to determine the last time the
user actually authenticated and make a decision based on that. With
renewable TGTs you can't determine how long ago the user actually
interactively authenticated.
It'd be a burden (both for the user, and administratively) to require
special purpose user/foo principals (which could have a short lifetime
and no renewability) for said applications.
I can go into more detail if that isn't sufficient, but I think it is
enough to understand the problem? Nice guesses by others, though.
Wait a second. I see this already exists, it's the authtime field.
And RFC 4120 describes exactly this usage. I guess I missed it since
klist doesn't show it.
More information about the krbdev
mailing list