krbdev.mit.edu: Search ( Requestor.id = 60395 ) AND (Status = '__Active__')
https://krbdev.mit.edu:443/rt/
2023-09-29T00:00:00Z1hourlyBug report: warn_pw_expiry() wrongfully warns of coming expiration when krbPasswordExpiration is in at least 68.09 years
https://krbdev.mit.edu:443/rt/Ticket/Display.html?id=9033
Hi,
While tinkering with krbPasswordExpiration setting in FreeIPA, I stumbled
on a corner case where calling kinit would output the following warning:
$ kinit admin
Password for admin@INT.HOSTNAME.TLD:
Warning: Your password will expire in less than one hour on Fri 05 Oct
2096 12:00:00 AM UTC
The admin krbPasswordExpiration is effectively set to 05 Oct 2096 12:00:00
AM UTC or in epoch: 4000233600, while the current date was 05 Oct 2021
13:58:00 AM UTC or in epoch : 1633442336.
The problem happens here:
https://github.com/krb5/krb5/blob/371f09d4bf4ca0c7ba15c5ef909bc35307ed9cc3/src/lib/krb5/krb/get_in_tkt.c#L1568
warn_pw_expiry() computes the difference between the expiration date and
now using ts_delta. Since ts_delta returns a signed 32 bits integer, the
highest difference that can be correctly represented between a future date
and now is 2147483648 seconds (~68.09 years). Beyond that, ts_delta returns
a negative number, and warn_pw_expiry() warns the password is about to
expire since it is smaller to 3600 seconds.
When the delta is computed, warn_pw_expiry() is already aware that the
password is not expired, otherwise the expiration callback would have been
called. Hence, we know the timestamp difference has to be strictly
positive. Therefore, the first if could be rewritten as:
if (delta > 0 && delta < 3600) {
Reference:
https://github.com/krb5/krb5/blob/371f09d4bf4ca0c7ba15c5ef909bc35307ed9cc3/src/lib/krb5/krb/get_in_tkt.c#L1569
I realize this is a corner case, so it might not be desirable to fix the
logic, but if the logic is not fixed, a maximum value
for krbPasswordExpiration should probably be documented somewhere, which is
why I am reporting this.
--
Félix-Antoine Fortin
Université Laval
Félix-Antoine Fortin <felix-antoine.fortin@calculquebec.ca>2021-10-06T15:42:56Z