Don't include krb5_kdc_req->from if default start time
Greg Hudson
ghudson at MIT.EDU
Fri May 11 12:00:54 EDT 2012
On 05/08/2012 05:31 AM, Stef Walter wrote:
> This does have a small gotcha. If a start time is passed to kinit (via
> -s) and that start time does just happen to be the current time (at the
> time that the KDC authentication request is encoded) then the start time
> will not be respected. Is this a problem? And if so, is there a
> transparent way we can remedy this corner case?
Our KDC and Heimdal's KDC actually ignore the request's start time
unless the request includes the postdated option. So I think it's
reasonable for krb5_get_init_creds to omit the start time if (1)
start_time is 0, and (2) options->flags does not include
KRB5_GET_INIT_CREDS_OPT_PROXIABLE. I don't think we even need to check
for KRB5_LIBOPT_SYNC_KDCTIME.
I can modify the patch appropriately; it should be a trivial change.
More information about the krbdev
mailing list