[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PK-Init and proxy certs question

To: Heimdal-discuss list <heimdal-discuss@sics.se>
Subject: PK-Init and proxy certs question
From: Andreas Haupt <andreas.haupt@desy.de>
Date: Tue, 25 Sep 2007 15:25:32 +0200
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: DESY
Reply-To: heimdal-discuss@sics.se, Andreas Haupt <andreas.haupt@desy.de>

Hi,

I have a question (or maybe it is a bug) regarding the tgt generation
out of globus proxy certificates. That's what I did:

[brutus-vm10] ~ % date
Tue Sep 25 15:23:45 CEST 2007
[brutus-vm10] ~ % grid-proxy-init -rfc
Your identity: /O=GermanGrid/OU=DESY/CN=Andreas Haupt
Enter GRID pass phrase for this identity:
Creating proxy ....................................... Done
Your proxy is valid until: Wed Sep 26 03:23:50 2007
[brutus-vm10] ~ % grid-proxy-info     
subject  : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=1396311403
issuer   : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_p31139.fileiLYtv0.1
timeleft : 11:59:55
[brutus-vm10] ~ % kinit -C FILE:/tmp/x509up_p31139.fileiLYtv0.1 ahaupt@IFH.DE
[brutus-vm10] ~ % klist
Credentials cache: FILE:/tmp/krb5cc_9132_rd3v5E
        Principal: ahaupt@IFH.DE

  Issued           Expires          Principal
Sep 25 15:24:00  Sep 26 16:23:59  krbtgt/IFH.DE@IFH.DE
Sep 25 15:24:01  Sep 26 16:23:59  afs@IFH.DE

What you can see is that the TGT is valid for a longer time (actually
the default ticket lifetime) than the original proxy certificate. Is it
a misconfiguration? Or a bug?

BTW: I've written a PAM module that generates a K5 TGT out of a
delegated globus proxy (e.g. by gsissh) at login. With the help of
pam_krb5afs you can even obtain AFS an token. It is called
pam_gridpxy2krb5 and can be downloaded from here:

http://www-zeuthen.desy.de/~ahaupt/downloads/pam_gridpxy2krb5-0.1.tar.gz

Please feel free to use or modify it.

Cheers,
Andreas

-- 
| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216

Follow-Ups:
- Re: PK-Init and proxy certs question
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: PK-Init and proxy certs question
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Authen::Heimdal & Authen::Heimdal::Admin - rough but working
Next by Date: Re: PK-Init and proxy certs question
Prev by thread: Re: Authen::Heimdal & Authen::Heimdal::Admin - rough but working
Next by thread: Re: PK-Init and proxy certs question
Index(es):
- Date
- Thread