Skip Menu |
 

Subject: krb5_get_init_creds() allows renew_until time < expiration time
krb5_get_init_creds() should not allow ticket requests where the renew_until time is less
than the ticket expiration time. This can easily happen if the user has a default
renew_lifetime in libdefaults.

For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the
ticket expiration time without explicitly doing anything stupid.

I believe a correct way to fix this is to add a check so that if this case happens,
krb5_get_init_creds() sets the renew_until time to the larger lifetime. Ie:

if (request.rtime < request.till) {
request.rtime = request.till;
}
From: lxs@mit.edu
Subject: CVS Commit
get_in_tkt.c (get_init_creds): Support ticket_lifetime libdefault. Made aware of 32 bit min and max for times. Allow renew_until time < expiration time.


To generate a diff of this commit:



cvs diff -r5.447 -r5.448 krb5/src/lib/krb5/krb/ChangeLog
From: lxs@mit.edu
Subject: CVS Commit
get_in_tkt.c (get_init_creds): Support ticket_lifetime libdefault. Made aware of 32 bit min and max for times. Allow renew_until time < expiration time.


To generate a diff of this commit:



cvs diff -r5.110 -r5.111 krb5/src/lib/krb5/krb/get_in_tkt.c