From kwc@babylon.citi.umich.edu Wed Dec 10 13:44:09 2003 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP id NAA02468; Wed, 10 Dec 2003 13:44:08 -0500 (EST) Received: from citi.umich.edu (citi.umich.edu [141.211.133.111]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id hBAIi8VA017297 for ; Wed, 10 Dec 2003 13:44:08 -0500 (EST) Received: from babylon.citi.umich.edu (babylon.citi.umich.edu [141.211.133.5]) (using TLSv1 with cipher EDH-DSS-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by citi.umich.edu (Postfix) with ESMTP id C9BB5207E5 for ; Wed, 10 Dec 2003 13:44:07 -0500 (EST) Received: (from kwc@localhost) by babylon.citi.umich.edu (8.12.10/8.12.10/Submit) id hBAIi6Is022321; Wed, 10 Dec 2003 13:44:06 -0500 Date: Wed, 10 Dec 2003 13:44:06 -0500 Message-Id: <200312101844.hBAIi6Is022321@babylon.citi.umich.edu> To: krb5-bugs@mit.edu Subject: K4 lifetime issues From: kwc@citi.umich.edu Reply-To: kwc@citi.umich.edu Cc: X-send-pr-version: 3.99 >Submitter-Id: net >Originator: Kevin Coffman >Organization: University of Michigan -- CITI >Confidential: no >Synopsis: Problems with ticket lifetimes in K4 >Severity: serious >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: krb5-1.3.1 >Environment: System: Linux babylon.citi.umich.edu 2.4.21-4.ELsmp #1 SMP Fri Oct 3 17:52:56 EDT 2003 i686 i686 i386 GNU/Linux Architecture: i686 >Description: Resetting the issue time confuses clients into thinking there is a clock skew problem A TGS request for unlimited lifetime results in an endtime of 0xffffffff. >How-To-Repeat: The default Windows OpenAFS client uses K4. It had problems getting tokens with the adjustment of the issue time. KTH/Heimdal code requests unlimited lifetime service tickets. >Fix: [ 61 ] rock/.../kdc% cvs diff -u -r MIT_1_3_1 kerberos_v4.c Index: kerberos_v4.c =================================================================== RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/krb5/src/kdc/kerberos_v4.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 kerberos_v4.c --- kerberos_v4.c 21 Jul 2003 20:28:38 -0000 1.1.1.3 +++ kerberos_v4.c 10 Dec 2003 18:15:15 -0000 @@ -743,6 +743,7 @@ v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life); lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end); v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime); +#if !defined(UMICH) /* * Adjust issue time backwards if necessary, due to * roundup in krb_time_to_life(). XXX This frobs @@ -750,6 +751,7 @@ */ if (v4endtime > v4req_end) kerb_time.tv_sec -= v4endtime - v4req_end; +#endif #ifdef NOENCRYPTION memset(session_key, 0, sizeof(C_Block)); @@ -932,11 +934,21 @@ /* Bound requested lifetime with service and user */ v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); +#if defined(UMICH) + /* + * Even if they requested unlimited lifetime, + * it is still limited by the end of their TGT + */ + if (v4req_end == 0xffffffff) + v4req_end = v4endtime; + else +#endif v4req_end = min(v4endtime, v4req_end); v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life); lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end); v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime); +#if !defined(UMICH) /* * Adjust issue time backwards if necessary, due to * roundup in krb_time_to_life(). XXX This frobs @@ -944,6 +956,7 @@ */ if (v4endtime > v4req_end) kerb_time.tv_sec -= v4endtime - v4req_end; +#endif /* unseal server's key from master key */ memcpy(key, &s_name_data.key_low, 4);