preserve original starttime on renewed TGTs

Frank Cusack frank+krb at
Fri Nov 19 20:20:23 EST 2010

On 11/19/10 4:43 PM -0500 Simo Sorce wrote:
> On Fri, 19 Nov 2010 13:21:34 -0800
> Frank Cusack <frank+krb at> wrote:
>> When running 'kinit -R', the KDC resets the starttime on the returned
>> TGT to "now".  I'd like to modify my KDC to preserve the original
>> starttime instead.  That could make a renewed TGT appear to have
>> longer than the normal maximum configured lifetime, but it seems like
>> a fairly trivial non-problem.  As opposed to a postdated ticket, this
>> would be now be a predated ticket.
> Hi Frank,
> I am curious to understand why you want to do that.
> What class of use cases does it solve?

I would like an application to be able to determine the last time the
user actually authenticated and make a decision based on that.  With
renewable TGTs you can't determine how long ago the user actually
interactively authenticated.

It'd be a burden (both for the user, and administratively) to require
special purpose user/foo principals (which could have a short lifetime
and no renewability) for said applications.

I can go into more detail if that isn't sufficient, but I think it is
enough to understand the problem?  Nice guesses by others, though.

Wait a second.  I see this already exists, it's the authtime field.
And RFC 4120 describes exactly this usage.  I guess I missed it since
klist doesn't show it.

More information about the krbdev mailing list