[1826] in Kerberos-V5-bugs
[Bill Sommerfeld: Re: KRB5 User to User (KDC_OPT_ENC_TKT_IN_SKEY) functionality]
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Mar 1 21:04:46 1996
Date: Fri, 1 Mar 1996 21:04:36 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU
------- Forwarded Message
X-Mailer: exmh version 1.6.2 7/18/95
To: burati@apollo.hp.com
Cc: Theodore Ts'o <tytso@MIT.EDU>, greg@apollo.hp.com
Subject: Re: KRB5 User to User (KDC_OPT_ENC_TKT_IN_SKEY) functionality
In-Reply-To: burati's message of Fri, 01 Mar 1996 16:03:41 -0500.
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Fri, 01 Mar 1996 16:26:40 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Hi...
While trying to make use of the user to user protocol, I noticed what
we believe is a bug in the ticket generation in process_tgs_request in
do_tgs_req.c.
The endtime of the SKEY is never taken into account when generating
the new ticket. This means that a ticket could outlive the TGT SKEY of the
server that it's intended for. Can you let us know if you agree that it's
a bug, or if there was some reason why it was done this way?
Just as a followup to Mike,
We think this is a bug because once the server's TGT expires, the
client's TGT is at least theoretically worthless, so there's no point
in the client caching it or thinking it might still be valid. The
client can't know when it will become meaningless because it can't
extract the server's TGT expiration time out of the ticket.
We can talk about this at the IETF if you don't have time right now..
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCUAwUBMTdrh1pj/0M1dMJ/AQE2KgP2O8X37DsL8vouOGxEDWwP0OighjEk0ly6
pA5cAJO2dKg5AybPitapMYx69qc8Hk5Evopb/9kPij+sRAC2f/rUGngw4gQ9RdjO
ZBwk1CpVmA4YXtmtE8727G96lI/X0DAD9zWeSIC9jHQbKf7YFGD7Jf0Jbl0f3a3c
mEY3RSOjEg==
=FTRO
-----END PGP SIGNATURE-----
------- End Forwarded Message
