Skip Menu |
 

Date: Wed, 15 Jan 2014 17:18:23 -0500
From: Nalin Dahyabhai <nalin@redhat.com>
To: krb5-bugs@mit.edu
Subject: gss_init_sec_context() can ignore time sync with keyring caches
Download (untitled) / with headers
text/plain 1.5KiB
In testing, we're seeing thatt GSSAPI clients are getting Ticket-
expired from gss_init_sec_context() errors when using keyring caches on
a system where the clock is ahead of the KDC's by more than the lifetime
of the client credentials (the specific test was ldapsearch using
GSSAPI, FWIW).

The GSSAPI client library's get_credentials() function is comparing the
recorded expiration time of a set of credentials that it's about to use
to the current time as returned to kg_new_connection() by
krb5_timeofday().

That time is affected by the krb5_context's os_ctx's time_offset member,
which is only set from a keyring cache in krb5_krcc_resolve(), which is
only called after the clock is read in kg_new_connection(), so the KDC's
clock offset is not taken into account in the comparison.

When a file is used, though, the offset is set in krb5_fcc_open_file()
when it's called either from krb5_fcc_start_seq_get() or
krb5_fcc_next_cred(), which are both called before the clock is read in
kg_new_connection(), so the KDC's clock offset is taken into account
when the comparison is made in get_credentials().

I've tried having get_credentials() re-read the clock using
krb5_timeofday() right before comparing "result_creds->times.endtime"
and "now", and moving calls to krb5_krcc_get_time_offsets() from
krb5_krcc_resolve() to krb5_krcc_start_seq_get() and/or
krb5_krcc_next_cred(), and either approach by itself, or both together,
produced the desired behavior.

I'm attaching a patch which does both, though I think the changes to
just init_sec_context.c are actually enough.

Thanks,

Nalin
Download sync.patch
text/plain 5KiB

Message body is not shown because sender requested not to inline it.

I don't see how start_seq_get or next_cred could be called prior to
resolve. In my tests, krb5_krcc_resolve is called prior to the
krb5_gettimeofday call in kg_new_connection(), as I would expect.
Date: Thu, 16 Jan 2014 16:43:38 -0500
From: Nalin Dahyabhai <nalin@redhat.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #7820] gss_init_sec_context() can ignore time sync with keyring caches
RT-Send-Cc:
Download (untitled) / with headers
text/plain 116.6KiB

Message body is not shown because it is too large.

I think the problem is that keyring ccaches created by
krb5_krcc_ptcursor_next do not look up the time offsets. In the case
where kg_cred_resolve gets a cache from the collection via
krb5_cc_select, krb5_krcc_resolve is not called and we don't get the time
offsets. In the case where kg_cred_resolve falls back to
krb5int_cc_default, krb5_krcc_resolve is called and we get offsets.

The fix is as simple as moving the time offset lookup code from
krb5_krcc_resolve() into make_cache().

(In the long term, we hope to make fetching the time offset from the
cache into an explicit operation, in order to better handle cases where
different realms have different KDC times.)
Please test the commit at the head of
https://github.com/greghudson/krb5/commits/krtimes and make sure it
solves your problem. (I will remove this branch when it is pushed to
master.)
Date: Fri, 17 Jan 2014 09:39:36 -0500
From: Nalin Dahyabhai <nalin@redhat.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #7820] gss_init_sec_context() can ignore time sync with keyring caches
RT-Send-Cc:
On Thu, Jan 16, 2014 at 05:50:21PM -0500, Greg Hudson via RT wrote:
Show quoted text
> Please test the commit at the head of
> https://github.com/greghudson/krb5/commits/krtimes and make sure it
> solves your problem. (I will remove this branch when it is pushed to
> master.)

It does. Thanks!

Nalin
From: ghudson@mit.edu
Subject: git commit

Get time offsets for all keyring ccaches

Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.

https://github.com/krb5/krb5/commit/e99c688913a7761c6adea9488ea9355f43539883
Author: Greg Hudson <ghudson@mit.edu>
Commit: e99c688913a7761c6adea9488ea9355f43539883
Branch: master
src/lib/krb5/ccache/cc_keyring.c | 43 ++++++++++++++++++++-----------------
1 files changed, 23 insertions(+), 20 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Get time offsets for all keyring ccaches

Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.

(cherry picked from commit e99c688913a7761c6adea9488ea9355f43539883)

https://github.com/krb5/krb5/commit/64839d5ee1e8f3ebb394b980eb50b90ad9928a0e
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 64839d5ee1e8f3ebb394b980eb50b90ad9928a0e
Branch: krb5-1.12
src/lib/krb5/ccache/cc_keyring.c | 43 ++++++++++++++++++++-----------------
1 files changed, 23 insertions(+), 20 deletions(-)