[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: re-requests of expired keys.

To: heimdal-discuss@sics.se
Subject: Re: re-requests of expired keys.
From: Anders Magnusson <ragge@ltu.se>
Date: Wed, 11 May 2005 12:58:48 +0200
In-Reply-To: <200505090715.j497FAZJ001623@ramses.dc.ltu.se>
Organization: Be-Bop Originalaskkopp
References: <200505041007.j44A72ZJ006631@ramses.dc.ltu.se> <200505090715.j497FAZJ001623@ramses.dc.ltu.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.4.1i

I wrote a patch to solve this problem.  I'm not sure of the correctness, 
so I leave it to the Heimdal gurus to verify it :-)  With this, the key
is removed (and refetched) if it is not valid anymore.  

-- Ragge


*** get_cred.c.orig	Tue May 10 13:12:53 2005
--- get_cred.c	Tue May 10 14:51:03 2005
***************
*** 835,840 ****
--- 835,860 ----
  				in_creds->session.keytype ?
  				KRB5_TC_MATCH_KEYTYPE : 0,
  				in_creds, res_creds);
+     if (ret == 0) {
+ 	krb5_error_code ret2;
+ 	krb5_timestamp timeret;
+ 
+ 	/* Check if credential is expired */
+ 	if((ret2 = krb5_timeofday(context, &timeret))) {
+ 	    free(res_creds);
+ 	    return ret2;
+ 	}
+ 
+ 	if (res_creds->times.endtime < timeret) {
+ 		/* delete old principal and refetch */
+ 		if((ret2 = krb5_cc_remove_cred(context, ccache, 0, res_creds))){
+ 			free(res_creds);
+ 			return ret2;
+ 		}
+ 		ret = KRB5_CC_END; /* XXX */
+ 	}
+     }
+ 
      if(ret == 0) {
  	*out_creds = res_creds;
  	return 0;




On Mon, May 09, 2005 at 09:15:10AM +0200, Anders Magnusson wrote:
> I should note that this is with Heimdal 0.6.3, tested on both Solaris and 
> NetBSD.
> 
> -- Ragge
> 
> On Wed, 04 May 2005 12:07:02 +0200 Anders Magnusson wrote:
> > 
> > I have an annoying problem: expired tickets do not get re-requested even if 
> > the tgt is not expired.  For example; if the ccache contains this:
> > 
> > ulrik.dc.luth.se:/home/ragge >klist
> > Credentials cache: FILE:/tmp/krb5cc_30
> >         Principal: ragge@LTU.SE
> > 
> >   Issued           Expires          Principal                 
> > May  3 13:59:48  May  3 23:58:32  krbtgt/LTU.SE@LTU.SE        
> > May  3 13:59:48  May  3 23:58:32  krbtgt/LTU.SE@LTU.SE        
> > May  3 14:01:06  >>>Expired<<<    host/osiris.dc.ltu.se@LTU.SE
> > 
> > then I can't get kerberos to work when trying to connect to osiris. OpenSSH 4 
> > -v says:
> > 
> > ...
> > debug1: Next authentication method: gssapi-with-mic
> > debug1: Delegating credentials
> > debug1:  The context has expired
> > Undefined error: 0
> > ...
> > 
> > and telnet says the same:
> > 
> > ulrik.dc.luth.se:/home/ragge >telnet osiris
> > Trying 130.240.112.182...
> > Connected to osiris.dc.ltu.se.
> > Escape character is '^]'.
> > [ Trying KERBEROS5 ... ]
> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
> > [ Trying KERBEROS5 ... ]
> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
> > 
> > Shouldn't the expired ticket get re-requested?
> > 
> > -- Ragge
> > 
> > 
>

Follow-Ups:
- Re: re-requests of expired keys.
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- re-requests of expired keys.
  - From: Anders Magnusson <ragge@ltu.se>
- Re: re-requests of expired keys.
  - From: Anders Magnusson <ragge@ltu.se>

Prev by Date: Re: PKINIT - kinit - "No usable pa data type", any ideas?
Next by Date: Your Latest Inquiries.........SAFETY.
Prev by thread: Re: re-requests of expired keys.
Next by thread: Re: re-requests of expired keys.
Index(es):
- Date
- Thread