Skip Menu |
 

Subject: krb5 gss_accept_sec_context() does not allow clock skew
Download (untitled) / with headers
text/plain 1.5KiB
In 1996 (before the 1.0 release), an explicit check was added to the
krb5 gss_accept_sec_context() implementation to reject the incoming
token if the ticket endtime expires before the current time. This
check may have been motivated by the need to compute a non-negative
time_rec result. If the check triggers, gss_accept_sec_context()
returns GSS_S_CREDENTIALS_EXPIRED, which is incorrect (it suggests
that the acceptor's verifier_cred_handle has expired) and is not
consistent with the behavior when krb5_rd_req_decoded() fails due to
expired tickets.

This unnecessarily strict check causes a particularly bad experience
when (a) the client's clock is slightly ahead of the server's clock,
and (b) the maximum service ticket lifetime is lower than the maximum
TGT lifetime. In that circumstance, the client will acquire a new
service ticket using the TGT if the client sees the credential as
expired, but the application will experience an authentication
failure if only the server sees the credential as expired.

A better way of dealing with the time_rec computation would be to
unconditionally add the allowed clock skew to time_rec, and to
lifetime_rec in krb5_gss_inquire_context.

There is a corresponding piece of code in the krb5
gss_init_sec_context() to "Enforce a stricter limit" on client
credentials, but it may not be operative; krb5_get_credentials() will
already ignore cached service tickets whose endtime is less than the
current time.

See also:

http://mailman.mit.edu/pipermail/krbdev/2015-October/012457.html
[ghudson - Tue Oct 6 11:51:12 2015]:
Show quoted text
> This unnecessarily strict check causes a particularly bad
> experience when (a) the client's clock is slightly ahead of the
> server's clock,

I meant to say "the server's clock is slightly ahead of the client's
clock" here.
From: ghudson@mit.edu
Subject: git commit

Allow clock skew in krb5 gss_accept_sec_context()

Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.

https://github.com/krb5/krb5/commit/b496ce4095133536e0ace36b74130e4b9ecb5e11
Author: Greg Hudson <ghudson@mit.edu>
Commit: b496ce4095133536e0ace36b74130e4b9ecb5e11
Branch: master
src/lib/gssapi/krb5/accept_sec_context.c | 18 ++++--------------
src/lib/gssapi/krb5/inq_context.c | 7 ++++++-
2 files changed, 10 insertions(+), 15 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Allow clock skew in krb5 gss_accept_sec_context()

Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.

(cherry picked from commit b496ce4095133536e0ace36b74130e4b9ecb5e11)

https://github.com/krb5/krb5/commit/8c40b196ce00e653081f6c21f1dd2cbbcd2cc64e
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 8c40b196ce00e653081f6c21f1dd2cbbcd2cc64e
Branch: krb5-1.14
src/lib/gssapi/krb5/accept_sec_context.c | 18 ++++--------------
src/lib/gssapi/krb5/inq_context.c | 7 ++++++-
2 files changed, 10 insertions(+), 15 deletions(-)