[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: re-requests of expired keys.
Anders Magnusson <ragge@ltu.se> writes:
> I wrote a patch to solve this problem. I'm not sure of the correctness,
> so I leave it to the Heimdal gurus to verify it :-) With this, the key
> is removed (and refetched) if it is not valid anymore.
I wrote a competing patch, can you try it out (works for me) ?
Love
--- lib/krb5/get_cred.c 2 Feb 2005 07:30:04
+++ lib/krb5/get_cred.c 11 May 2005 19:20:39
@@ -841,13 +841,25 @@
ccache,
options,
in_creds, res_creds);
+ /*
+ * If we got a credential, check if credential is expired before
+ * returning it.
+ */
if(ret == 0) {
+ krb5_timestamp timeret;
+
+ krb5_timeofday(context, &timeret);
+ if (res_creds->times.endtime > timeret) {
*out_creds = res_creds;
return 0;
}
+ if ((options & KRB5_GC_CACHED) == 0)
+ ret = krb5_cc_remove_cred(context, ccache, 0, res_creds);
+ free(res_creds);
+ } else if (ret != KRB5_CC_END) {
free(res_creds);
- if(ret != KRB5_CC_END)
return ret;
+ }
if(options & KRB5_GC_CACHED) {
krb5_clear_error_string (context);
return KRB5_CC_NOTFOUND;
>
> -- Ragge
>
>
> *** get_cred.c.orig Tue May 10 13:12:53 2005
> --- get_cred.c Tue May 10 14:51:03 2005
> ***************
> *** 835,840 ****
> --- 835,860 ----
> in_creds->session.keytype ?
> KRB5_TC_MATCH_KEYTYPE : 0,
> in_creds, res_creds);
> + if (ret == 0) {
> + krb5_error_code ret2;
> + krb5_timestamp timeret;
> +
> + /* Check if credential is expired */
> + if((ret2 = krb5_timeofday(context, &timeret))) {
> + free(res_creds);
> + return ret2;
> + }
> +
> + if (res_creds->times.endtime < timeret) {
> + /* delete old principal and refetch */
> + if((ret2 = krb5_cc_remove_cred(context, ccache, 0, res_creds))){
> + free(res_creds);
> + return ret2;
> + }
> + ret = KRB5_CC_END; /* XXX */
> + }
> + }
> +
> if(ret == 0) {
> *out_creds = res_creds;
> return 0;
>
>
>
>
> On Mon, May 09, 2005 at 09:15:10AM +0200, Anders Magnusson wrote:
>> I should note that this is with Heimdal 0.6.3, tested on both Solaris and
>> NetBSD.
>>
>> -- Ragge
>>
>> On Wed, 04 May 2005 12:07:02 +0200 Anders Magnusson wrote:
>> >
>> > I have an annoying problem: expired tickets do not get re-requested even if
>> > the tgt is not expired. For example; if the ccache contains this:
>> >
>> > ulrik.dc.luth.se:/home/ragge >klist
>> > Credentials cache: FILE:/tmp/krb5cc_30
>> > Principal: ragge@LTU.SE
>> >
>> > Issued Expires Principal
>> > May 3 13:59:48 May 3 23:58:32 krbtgt/LTU.SE@LTU.SE
>> > May 3 13:59:48 May 3 23:58:32 krbtgt/LTU.SE@LTU.SE
>> > May 3 14:01:06 >>>Expired<<< host/osiris.dc.ltu.se@LTU.SE
>> >
>> > then I can't get kerberos to work when trying to connect to osiris. OpenSSH 4
>> > -v says:
>> >
>> > ...
>> > debug1: Next authentication method: gssapi-with-mic
>> > debug1: Delegating credentials
>> > debug1: The context has expired
>> > Undefined error: 0
>> > ...
>> >
>> > and telnet says the same:
>> >
>> > ulrik.dc.luth.se:/home/ragge >telnet osiris
>> > Trying 130.240.112.182...
>> > Connected to osiris.dc.ltu.se.
>> > Escape character is '^]'.
>> > [ Trying KERBEROS5 ... ]
>> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
>> > [ Trying KERBEROS5 ... ]
>> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
>> >
>> > Shouldn't the expired ticket get re-requested?
>> >
>> > -- Ragge
>> >
>> >
>>
PGP signature