Subject: | krb5_get_init_creds() allows renew_until time < expiration time |
krb5_get_init_creds() should not allow ticket requests where the renew_until time is less
than the ticket expiration time. This can easily happen if the user has a default
renew_lifetime in libdefaults.
For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the
ticket expiration time without explicitly doing anything stupid.
I believe a correct way to fix this is to add a check so that if this case happens,
krb5_get_init_creds() sets the renew_until time to the larger lifetime. Ie:
if (request.rtime < request.till) {
request.rtime = request.till;
}
than the ticket expiration time. This can easily happen if the user has a default
renew_lifetime in libdefaults.
For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the
ticket expiration time without explicitly doing anything stupid.
I believe a correct way to fix this is to add a check so that if this case happens,
krb5_get_init_creds() sets the renew_until time to the larger lifetime. Ie:
if (request.rtime < request.till) {
request.rtime = request.till;
}