The MIT krb5 client code in lib/krb5/gic_pwd.c:get_init_creds_password()
expects the key-expiration field of the enc part of the AS_REP to be the
password expiration time.
The MIT krb5 KDC code in kdc/do_as_req.c sets that field to be the
*account* expiration time.
The RFC and the revisions docs both say: "The key-expiration field is
part of the response from the KDC and specifies the time that the
client's secret key is due to expire. The expiration might be the
result of password aging or an account expiration."
Sites where the account expiration might be used to lock/close accounts
ahead of off-premises dates for employees being, say, layed off, would
NEVER want the account expiration date to be revealed in the AS_REP.
Below are TWO patches to the same MIT krb5 KDC code, one to set the
key-expiration field of the enc part of the AS_REP to be the PASSWORD
expiration time, the other to set the same field to the "sooner"
(lesser) of the password and account expiration values for the given
account.
Methinks that the revisions should clearly state that returning ONLY
the PASSWORD expiration time in this field is legal and reasonable.
And, IMHO, KDCs SHOULD make the behaviour be configurable.
Cheers,
Nico
Index: MIT-122.14/kdc/do_as_req.c
--- MIT-122.14/kdc/do_as_req.c Wed, 14 Mar 2001 14:20:32 -0500
+++ MIT-122.14(w)/kdc/do_as_req.c Wed, 17 Oct 2001 15:40:48 -0400
@@ -372,7 +372,7 @@
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client.pw_expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
OR
Index: MIT-122.14/kdc/do_as_req.c
--- MIT-122.14/kdc/do_as_req.c Wed, 14 Mar 2001 14:20:32 -0500
+++ MIT-122.14(w)/kdc/do_as_req.c Wed, 17 Oct 2001 15:40:48 -0400
@@ -372,7 +372,7 @@
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client.pw_expiration < client.expiration ?
+client.pw_expiration : client.expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
