Skip Menu |
 

Download (untitled) / with headers
text/plain 2.9KiB
From mary@eiger.demon.co.uk Sun Nov 30 12:06:36 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id MAA13739; Sun, 30 Nov 2003 12:06:36 -0500 (EST)
Received: from shockwave.systems.pipex.net (shockwave.systems.pipex.net [62.241.160.9])
by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id hAUH6ZoR022342
for <krb5-bugs@mit.edu>; Sun, 30 Nov 2003 12:06:35 -0500 (EST)
Received: from eiger.localnet (62-241-188-93.dsl.pipex.com [62.241.188.93])
by shockwave.systems.pipex.net (Postfix) with ESMTP id 3569C1C0053F
for <krb5-bugs@mit.edu>; Sun, 30 Nov 2003 17:06:34 +0000 (GMT)
Received: from makalu.localnet (makalu [192.168.1.7])
by eiger.localnet (8.12.10/8.12.9) with ESMTP id hAUH0Ope020886
for <krb5-bugs@mit.edu>; Sun, 30 Nov 2003 17:00:24 GMT
From: Mary Cushion <mary@eiger.demon.co.uk>
To: krb5-bugs@mit.edu
Subject: No advanced warning of password expiry (including fix)
Date: Sun, 30 Nov 2003 17:07:42 +0000
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200311301707.42705.mary@eiger.demon.co.uk>

Show quoted text
>Submitter-Id: net
>Originator: Mary Cushion
>Organization:
>Confidential: no
>Synopsis: No advanced warning of password expiry
>Severity: non-critical
>Priority: low
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
>Environment:
System: Linux 2.6.0-test9
Architecture: i686
Show quoted text
>Description:
When a Kerberos password is close to expiry, no warning messages are seen,
even though there is code in lib/krb5/krb/gic_pwd.c to do this.
Show quoted text
>How-To-Repeat:
Set a short password expiry policy
Show quoted text
>Fix:
The problem seems to be the contents of the key_exp field included in
the KRB_AS_REP message sent to the client.

In kdc/do_as_req.c, this field is set to client.expiration, the client
principal expiration date, which is often far in the future or never.
However, this value is retrieved in lib/krb5/krb/gic_pwd.c and tested
against the current time to determine whether the the password is close
to expiry.

The following tiny patch to the KDC code makes password expiry warnings work,
and I cannot see anywhere else in the client code that needs the original
meaning ?

--- do_as_req.c.orig 2002-11-04 02:20:51.000000000 +0000
+++ do_as_req.c 2003-11-19 17:23:26.000000000 +0000
@@ -370,7 +370,7 @@
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client.pw_expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;

According to RFC1510, this field should more properly be the minimum of
both client and password expiration dates, but it may be more confusing to a
user to warn that "Your password or account will expire in 6 days", when
there's not much they can do about the account bit.
From: ghudson@mit.edu
Subject: SVN Commit

In AS replies, set the key-expiration field to the minimum of account
and password expiration time as specified in RFC 4120. Reported by
Mary Cushion <mary@eiger.demon.co.uk>.


https://github.com/krb5/krb5/commit/1c0791bb201ff274dbbf8aa644bfffc200f15f08
Commit By: ghudson
Revision: 24240
Changed Files:
U trunk/src/kdc/do_as_req.c