Skip Menu |
 

Date: Wed, 14 Feb 2007 13:03:59 -0700
From: Shawn M Emery <Shawn.Emery@Sun.COM>
Subject: acct exp only sent in AS-REP
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 1.4KiB

Currently the KDC will only populate the key expiration field in the
AS-REP with the account expiration information. It should provide
either account exp or pw exp, whichever expires first.

These are diffs of the fix based on the 1.6 release:
kdc/do_as_req.c:
@@ -70,11 +70,11 @@
#ifdef KRBCONF_KDC_MODIFIES_KDB
krb5_boolean update_client = 0;
#endif /* KRBCONF_KDC_MODIFIES_KDB */
krb5_data e_data;
register int i;
- krb5_timestamp until, rtime;
+ krb5_timestamp until, rtime, etime = 0;
char *cname = 0, *sname = 0;
const char *fromstring = 0;
char ktypestr[128];
char rep_etypestr[128];
char fromstringbuf[70];
@@ -369,11 +369,18 @@
if ((errcode = fetch_last_req_info(&client,
&reply_encpart.last_req))) {
status = "FETCH_LAST_REQ";
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+
+ /* Take the minimum of expiration or pw_expiration if not zero. */
+ if (client.expiration != 0 && client.pw_expiration != 0)
+ etime = min(client.expiration, client.pw_expiration);
+ else
+ etime = client.expiration ? client.expiration :
client.pw_expiration;
+
+ reply_encpart.key_exp = etime;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;

/* copy the time fields EXCEPT for authtime; it's location
is used for ktime */

Shawn.
--