Skip Menu |

Date: Thu, 07 Feb 2013 21:46:20 -0500
From: Richard Basch <>
Subject: krb5-1.10.3 - Ticket lifetimes can be "negative" (this is a bad idea)

It is possible to request tickets with a “negative” lifetime, e.g. “kinit -l -3600”.


It shouldn’t be possible to request tickets whose “start time” is greater than the “expiration time”. I suspect there be some issues on 32-bit OS’s with underflows.

Just as a note, the expire.exp test in lib/rpc/unit-test takes advantage
of this behavior (it requests a TGT with a lifetime of -1 minute in order
to exercise the GSS acceptor expiration check). The requirements of the
test shouldn't drive the implementation behavior, but we'll need to
rewrite the test if we change the KDC.