AS-REQ with till being the epoch

Weijun Wang at
Tue Aug 29 19:21:16 EDT 2017

> On Aug 29, 2017, at 10:59 PM, Greg Hudson <ghudson at> wrote:
> On 08/29/2017 09:38 AM, Weijun Wang wrote:
>> It looks like if I set the till field in AS-REQ to the epoch, the issued ticket will have a very big endtime (Ex: now it's 2106-02-07 06:28:15 (UTC)).
> I guess you have also configured the KDC not to have any ticket lifetime
> limits, so the KDC winds up using kdc_infinity (2**32-1) as the ticket
> end time.
> If "set the till field in AS-REQ to the epoch" you mean the client is
> sending "19700101000000Z" in the till field, this is technically a bug
> since the client requested a never-valid ticket, not a ticket valid for
> a long time.

According to

      This field contains the expiration date requested by the client in
      a ticket request.  It is not optional, but if the requested
      endtime is "19700101000000Z", the requested ticket is to have the
      maximum endtime permitted according to KDC policy.  Implementation
      note: This special timestamp corresponds to a UNIX time_t value of
      zero on most systems.

>  But it doesn't seem like an important bug, as you say.
>> But if I call kvno with this TGT in ccache, I see a "Ticket expired while getting credentials" error. Maybe somewhere in the KDC that very big endtime is mistakenly treated as a very small number?
> The y2038 changes on master are only intended to work up until times
> near 2106, so this behavior isn't surprising.  I suspect the KDC is
> adding the clock skew (300) to 2**32-1 with 32-bit unsigned arithmetic,
> producing a small number.

Will this be fixed?

>> The KRB-ERROR reply to TGS-REQ has a strange ctime: 1974-12-10
>> 21:52:23 (UTC).
> Apparently we set the KRB-ERROR ctime to the client nonce, for both AS
> and TGS replies.  I had no idea we did this; it is clearly broken, as
> there is no good reason to believe that the client is using its system
> time as the nonce.  Even going back to RFC 1510, a random nonce is
> recommended for KDC requests.  I will fix it (by not setting the ctime
> field).

I see.


More information about the krbdev mailing list