Skip Menu |

From: "Félix-Antoine Fortin" <>
Date: Wed, 6 Oct 2021 10:18:36 -0400
Subject: Bug report: warn_pw_expiry() wrongfully warns of coming expiration when krbPasswordExpiration is in at least 68.09 years
Download (untitled) / with headers
text/plain 1.6KiB

While tinkering with krbPasswordExpiration setting in FreeIPA, I stumbled on a corner case where calling kinit would output the following warning:
$ kinit admin
Password for admin@INT.HOSTNAME.TLD:
Warning: Your password will expire in less than one hour on Fri 05 Oct 2096 12:00:00 AM UTC
The admin krbPasswordExpiration is effectively set to 05 Oct 2096 12:00:00 AM UTC or in epoch: 4000233600, while the current date was 05 Oct 2021 13:58:00 AM UTC or in epoch : 1633442336.

The problem happens here:

warn_pw_expiry() computes the difference between the expiration date and now using ts_delta. Since ts_delta returns a signed 32 bits integer, the highest difference that can be correctly represented between a future date and now is 2147483648 seconds (~68.09 years). Beyond that, ts_delta returns a negative number, and warn_pw_expiry() warns the password is about to expire since it is smaller to 3600 seconds.

When the delta is computed, warn_pw_expiry() is already aware that the password is not expired, otherwise the expiration callback would have been called. Hence, we know the timestamp difference has to be strictly positive. Therefore, the first if could be rewritten as:

if (delta > 0 && delta < 3600) {

I realize this is a corner case, so it might not be desirable to fix the logic, but if the logic is not fixed, a maximum value for krbPasswordExpiration should probably be documented somewhere, which is why I am reporting this.

Félix-Antoine Fortin
Université Laval