Date: | Wed, 15 Jan 2014 17:18:23 -0500 |
From: | Nalin Dahyabhai <nalin@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | gss_init_sec_context() can ignore time sync with keyring caches |
In testing, we're seeing thatt GSSAPI clients are getting Ticket-
expired from gss_init_sec_context() errors when using keyring caches on
a system where the clock is ahead of the KDC's by more than the lifetime
of the client credentials (the specific test was ldapsearch using
GSSAPI, FWIW).
The GSSAPI client library's get_credentials() function is comparing the
recorded expiration time of a set of credentials that it's about to use
to the current time as returned to kg_new_connection() by
krb5_timeofday().
That time is affected by the krb5_context's os_ctx's time_offset member,
which is only set from a keyring cache in krb5_krcc_resolve(), which is
only called after the clock is read in kg_new_connection(), so the KDC's
clock offset is not taken into account in the comparison.
When a file is used, though, the offset is set in krb5_fcc_open_file()
when it's called either from krb5_fcc_start_seq_get() or
krb5_fcc_next_cred(), which are both called before the clock is read in
kg_new_connection(), so the KDC's clock offset is taken into account
when the comparison is made in get_credentials().
I've tried having get_credentials() re-read the clock using
krb5_timeofday() right before comparing "result_creds->times.endtime"
and "now", and moving calls to krb5_krcc_get_time_offsets() from
krb5_krcc_resolve() to krb5_krcc_start_seq_get() and/or
krb5_krcc_next_cred(), and either approach by itself, or both together,
produced the desired behavior.
I'm attaching a patch which does both, though I think the changes to
just init_sec_context.c are actually enough.
Thanks,
Nalin
expired from gss_init_sec_context() errors when using keyring caches on
a system where the clock is ahead of the KDC's by more than the lifetime
of the client credentials (the specific test was ldapsearch using
GSSAPI, FWIW).
The GSSAPI client library's get_credentials() function is comparing the
recorded expiration time of a set of credentials that it's about to use
to the current time as returned to kg_new_connection() by
krb5_timeofday().
That time is affected by the krb5_context's os_ctx's time_offset member,
which is only set from a keyring cache in krb5_krcc_resolve(), which is
only called after the clock is read in kg_new_connection(), so the KDC's
clock offset is not taken into account in the comparison.
When a file is used, though, the offset is set in krb5_fcc_open_file()
when it's called either from krb5_fcc_start_seq_get() or
krb5_fcc_next_cred(), which are both called before the clock is read in
kg_new_connection(), so the KDC's clock offset is taken into account
when the comparison is made in get_credentials().
I've tried having get_credentials() re-read the clock using
krb5_timeofday() right before comparing "result_creds->times.endtime"
and "now", and moving calls to krb5_krcc_get_time_offsets() from
krb5_krcc_resolve() to krb5_krcc_start_seq_get() and/or
krb5_krcc_next_cred(), and either approach by itself, or both together,
produced the desired behavior.
I'm attaching a patch which does both, though I think the changes to
just init_sec_context.c are actually enough.
Thanks,
Nalin
Message body is not shown because sender requested not to inline it.