[16500] in Kerberos_V5_Development
Re: preserve original starttime on renewed TGTs
daemon@ATHENA.MIT.EDU (Frank Cusack)
Fri Nov 19 20:20:31 2010
Date: Fri, 19 Nov 2010 17:20:23 -0800
From: Frank Cusack <frank+krb@linetwo.net>
To: Simo Sorce <ssorce@redhat.com>, krbdev@mit.edu
Message-ID: <7D4ECC1251D74FF4398B651A@cusack.local>
In-Reply-To: <20101119164342.49d56360@willson.li.ssimo.org>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 11/19/10 4:43 PM -0500 Simo Sorce wrote:
> On Fri, 19 Nov 2010 13:21:34 -0800
> Frank Cusack <frank+krb@linetwo.net> wrote:
>
>> When running 'kinit -R', the KDC resets the starttime on the returned
>> TGT to "now". I'd like to modify my KDC to preserve the original
>> starttime instead. That could make a renewed TGT appear to have
>> longer than the normal maximum configured lifetime, but it seems like
>> a fairly trivial non-problem. As opposed to a postdated ticket, this
>> would be now be a predated ticket.
>
> Hi Frank,
> I am curious to understand why you want to do that.
> What class of use cases does it solve?
I would like an application to be able to determine the last time the
user actually authenticated and make a decision based on that. With
renewable TGTs you can't determine how long ago the user actually
interactively authenticated.
It'd be a burden (both for the user, and administratively) to require
special purpose user/foo principals (which could have a short lifetime
and no renewability) for said applications.
I can go into more detail if that isn't sufficient, but I think it is
enough to understand the problem? Nice guesses by others, though.
Wait a second. I see this already exists, it's the authtime field.
And RFC 4120 describes exactly this usage. I guess I missed it since
klist doesn't show it.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
