[3724] in Kerberos
Re: Refreshing a single credential?
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Wed Aug 17 10:04:12 1994
To: kerberos@MIT.EDU
Date: Wed, 17 Aug 1994 09:17:26
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
db74+@andrew.cmu.edu (Derrick J. Brashear) writes:
>It's come up that a service key may have it's kvno incremented, and
>people who have the service key with the old kvno in their ticket files
>will lose. Has anyone come up with a way to deal with this?
>
>Here's what I proposed:
>Use krbtgt in our ticket file to get a new krbtgt, in a fresh ticket file.
>either:
>A)
>Get a list of the creds in our old ticket file, and get these fresh in
> the new ticket file
>Then nuke the old ticket file, and move the new one into its place
>or:
>B)
>Get just the credential for which the kvno has changed in the new ticket
>file, use the ticket file, then nuke it.
Idea A won't work if you have client software which does the following
(which is quite common):
1. Calls krb5_mk_req() or krb_mk_req() to build an authenticator for an
application server, and transmits it to that server.
2. Once authentication is established, calls krb5_get_credentials() or
krb_get_cred() to get the session key for the ticket, in order to perform
encryption or whatever else.
If your "ticket-refreshing" program runs in between steps 1 and 2, the
other software will get the wrong session key, and thus will fail.
Actually, if you're using V5, using krb5_mk_req_extended() solves this
problem. But even if that is the case, or if you use idea B, it seems
wrong to have an application server-side change force a change to clients
who already have tickets.
>Any better ideas, or preferences?
The right thing to do would be to have the application server store
both the old and the new versions of the service key(s) in question,
at least until all tickets that could have been issued for the old
key have expired. Both krb5_rd_req() and krb_rd_req() can deal properly
with having multiple service keys (with different kvnos) for the same
principal in the same keyfile. Of course, you can't set up keyfiles
this way using just ext_srvtab (V4) or kdb5_edit (V5), but ksrvutil under
V4 can do the right thing, and while I don't see a program under V5
that does the same thing (although that may just be because I'm not
looking hard enough), it wouldn't be hard to write one.
-Shawn Mamros
E-mail to: mamros@ftp.com
