I have brought this up before: A native Solaris' Kerberos ticket request, will be granted by "shishid" with a life span of 25 years, since libshishi does not perform sanitation. It is "shishid" that malfunc- tions, not the external client!
The following patch resets the requested expiration time for any request that asks for more than a five-fold of the default life span, simply by resetting the interval to the configured default value. I have tested this with "kinit" on OpenIndiana and "shishid" on Debian. Regards, Mats Erik Andersson >From c2fe645f49e803ee331e3595c03a408b1140096b Mon Sep 17 00:00:00 2001 From: Mats Erik Andersson <g...@gisladisker.se> Date: Sat, 27 Oct 2012 16:38:18 +0200 Subject: [PATCH] encticketpart: Limit excessive life span. --- lib/encticketpart.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/lib/encticketpart.c b/lib/encticketpart.c index 4f7dc8e..4752caf 100644 --- a/lib/encticketpart.c +++ b/lib/encticketpart.c @@ -288,7 +288,9 @@ shishi_encticketpart_authtime_set (Shishi * handle, * @encticketpart: input EncTicketPart variable. * @endtime: character buffer containing a generalized time string. * - * Set the EncTicketPart.endtime to supplied value. + * Set the EncTicketPart.endtime to a supplied value. + * A life span in excess of five default ticket life spans + * is reset to the configured default value. * * Return value: Returns %SHISHI_OK iff successful. **/ @@ -298,6 +300,14 @@ shishi_encticketpart_endtime_set (Shishi * handle, const char *endtime) { int res; + time_t limit, asked; + + asked = shishi_generalize_ctime (handle, endtime); + limit = time (NULL) + handle->ticketlife; + + /* Is the life span excessive? Then standardize it. */ + if (asked > time (NULL) + 5 * handle->ticketlife) + endtime = shishi_generalize_time (handle, limit); res = shishi_asn1_write (handle, encticketpart, "endtime", endtime, SHISHI_GENERALIZEDTIME_LENGTH); -- 1.7.2.5 _______________________________________________ Help-shishi mailing list Help-shishi@gnu.org https://lists.gnu.org/mailman/listinfo/help-shishi