[32447] in Kerberos
Re: bug?: erroneous start time for max renewable life check
daemon@ATHENA.MIT.EDU (Richard Johnson)
Wed Jun 9 17:16:41 2010
Date: Wed, 9 Jun 2010 13:54:06 -0600
From: Richard Johnson <rjohnson@ucar.edu>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20100609195405.GA22635@ucar.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1276100136.2419.1102.camel@ray>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jun 09, 2010 at 12:15:36PM -0400, Greg Hudson wrote:
> I think the most practical fix for your problem is to make the Heimdal
> KDC more forgiving--it should not squash the validity end time of the
> ticket simply because it calculated a lower maximum renewable end time.
Thanks for the more precise ID of the problem. The Heimdal KDC should
probably use a more reasonable start time if it's going to calculate
lifetimes.
> If I were a Heimdal developer, I'd propose removing this line from
> krb5tgs.c:
>
> et.endtime = min(et.endtime, *et.renew_till);
Thanks. I'll test it and pursue that fix or a similar one.
> I'm certainly happy to change the MIT krb5 client code to not request
> renewable service tickets, and I'll bring that up on the krbdev list.
> But it's much easier to change your KDC than to change your OS-native
> client code on every client.
Jeffrey Altman pointed out that my assumption of always having the TGT
around when using the ftp service ticket is incorrect. Having a renewable
service ticket without requiring keeping/passing around the TGT can be
safer, and I'd thus be hesitant to have others lose that option.
Richard
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
