[16502] in Kerberos_V5_Development
Re: preserve original starttime on renewed TGTs
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sun Nov 21 12:48:35 2010
From: Sam Hartman <hartmans@mit.edu>
To: Frank Cusack <frank+krb@linetwo.net>
Date: Sun, 21 Nov 2010 12:48:25 -0500
In-Reply-To: <7D4ECC1251D74FF4398B651A@cusack.local> (Frank Cusack's message
of "Fri, 19 Nov 2010 17:20:23 -0800")
Message-ID: <tslfwuueffa.fsf@carter-zimmerman.suchdamage.org>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Frank" == Frank Cusack <frank+krb@linetwo.net> writes:
Frank> On 11/19/10 4:43 PM -0500 Simo Sorce wrote:
>> On Fri, 19 Nov 2010 13:21:34 -0800
>> Frank Cusack <frank+krb@linetwo.net> wrote:
>>
>>> When running 'kinit -R', the KDC resets the starttime on the
>>> returned TGT to "now". I'd like to modify my KDC to preserve
>>> the original starttime instead. That could make a renewed TGT
>>> appear to have longer than the normal maximum configured
>>> lifetime, but it seems like a fairly trivial non-problem. As
>>> opposed to a postdated ticket, this would be now be a predated
>>> ticket.
>>
>> Hi Frank, I am curious to understand why you want to do that.
>> What class of use cases does it solve?
Frank> I would like an application to be able to determine the last
Frank> time the user actually authenticated and make a decision
Frank> based on that. With renewable TGTs you can't determine how
Frank> long ago the user actually interactively authenticated.
Doesn't the authtime field already serve this purpose?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
