Skip Menu |
 

Subject: Renewed tickets can be marked renewable with no renewable endtime
Download (untitled) / with headers
text/plain 1.1KiB
Commit 4f551a7ec126c52ee1f8fea4c3954015b70987bd (ticket 7661) tries to
issue renewable tickets only if the computed renewable end time is
greater than the computed end time. The design assumption is that the
renewable bit in the returned ticket is only ever set by the last
conditional in kdc_get_ticket_renewtime().

However, for a renewed ticket, the assignment "enc_tkt_reply = *
(header_ticket->enc_part2);" sets the renewable bit in
enc_tkt_reply.flags (since it was necessarily set in header_ticket-
Show quoted text
>enc_part2->flags). So if the resulting ticket isn't determined to be
renewable, the renewable flag is set but renew_till is 0. This was
reported by Weijun Wang.

The simple fix is to clear the renewable flag at the beginning of
kdc_get_ticket_renewtime() where we clear renew_till.

We might also reconsider whether it is better to issue trivially
renewable tickets (renew_till == till) instead of non-renewable
tickets, assuming the client asked for a renewable ticket. We
received one complaint after #7661 because a script started getting
failures trying to renew a non-renewable ticket:

http://mailman.mit.edu/pipermail/kerberos/2015-August/020926.html
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Issue trivially renewable tickets

If the client specifically asks for renewable tickets but the
renewable end time (either requested or after restrictions) doesn't
exceed the ticket end time, issue a renewable ticket anyway. Issuing
a non-renewable ticket (as we started doing in release 1.12, due to
the refactoring in commit 4f551a7ec126c52ee1f8fea4c3954015b70987bd)
can be unfriendly to scripts.

Also make sure never to issue a ticket with the renewable flag set but
no renew-till field, by clearing the renewable flag at the start of
kdc_get_ticket_renewtime(). The flag could have been previously set
by the assignment "enc_tkt_reply = *(header_ticket->enc_part2)" in
process_tgs_req() when processing a renewal request.

Modify t_renew.py to expect renewable tickets in some tests where it
previously did not, to check for specific lifetimes, and to check the
renewable flag as well as the renewable lifetime.

https://github.com/krb5/krb5/commit/45c19b19ea4d47ac5969a9cbdb308201b16615d8
Author: Greg Hudson <ghudson@mit.edu>
Commit: 45c19b19ea4d47ac5969a9cbdb308201b16615d8
Branch: master
src/kdc/kdc_util.c | 15 ++++++----
src/tests/t_renew.py | 71 +++++++++++++++++++++++++++++++++++---------------
2 files changed, 59 insertions(+), 27 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Allow small errors in t_renew.py tests

https://github.com/krb5/krb5/commit/4cfb64e362443be36a4cb92fb8f5d1d93280fb3f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4cfb64e362443be36a4cb92fb8f5d1d93280fb3f
Branch: master
src/tests/t_renew.py | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)