Bug 1188917
| Summary: | kerberos password expiry not sufficiently precise on time remaining | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Morgan Weetman <mweetman> | ||||
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 7.0 | CC: | dpal, jplans, nalin, pkis, rharwood | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 7.4 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-05-02 18:35:39 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Further information: me.com's password: Warning: Your password will expire in 4 days on Sat Apr 4 11:47:00 2015 Last login: Mon Mar 30 11:05:11 AEDT 2015 from NNN.NNN.NNN.NNN on pts/0 [me@host ~]$ date Mon Mar 30 13:14:21 AEDT 2015 me.com's password: Warning: Your password will expire in 4 days on Sat Apr 4 11:47:00 2015 Last login: Mon Mar 30 13:49:35 AEDT 2015 from NNN.NNN.NNN.NNN on pts/0 [me@host ~]$ date Tue Mar 31 08:03:22 AEDT 2015 It seems like the number days until expiry might actually be the number of whole days remaining until the hour and minute of password expiry, regardless of what day of the week is the current day for the user. Any chance we can make it more accurate? :- e.g. Warning: Your password will expire in 4 days, 20 hours and 16 minutes on Sat Apr 4 11:47:00 2015 or: Warning: Your password will expire in 4.79 days on Sat Apr 4 11:47:00 2015 Created attachment 1173611 [details]
Proposed patch
Patch adds 2 decimal places to days, testing required
Upstream was not interested in this patch when it was proposed, so we will not be taking it in order to preserve compatibility. |
Description of problem: When logging in to a RHEL 6 host using kerberos credentials the password expiry warning date is a day further into the future than the suggested number of days. Version-Release number of selected component (if applicable): krb5-workstation-1.10.3-33.el6.x86_64 How reproducible: Log in to a system using a kerberos account when your password will expire within the warning time frame. Actual results: me.com's password: Warning: Your password will expire in 3 days on Fri Feb 6 08:26:09 2015 Last login: Fri Jan 30 14:21:49 AEDT 2015 from NNN.NNN.NNN.NNN on pts/0 [me@host ~]$ date Mon Feb 2 08:36:35 AEDT 2015 Expected results: Warning: Your password will expire in 3 days on Thu Feb 5 08:26:09 2015 or: Warning: Your password will expire in 4 days on Fri Feb 6 08:26:09 2015 Additional info: This system is authenticating users against Active Directory. I was looking into it but don't really have the time to test .. I thought that if 'days' was wrong it may be due to truncation when converted to an int, adding ceil() might be an option (would need to be compiled with '-lm'): --- lib/krb5/krb/gic_pwd.c +++ lib/krb5/krb/gic_pwd.c @@ -2,6 +2,7 @@ #include "k5-int.h" #include "com_err.h" #include "init_creds_ctx.h" +#include <math.h> krb5_error_code krb5_get_as_key_password(krb5_context context, @@ -207,7 +208,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, } else { snprintf(banner, sizeof(banner), _("Warning: Your password will expire in %d days on %s"), - delta / 86400, ts); + (int)ceil(delta / 86400), ts); } /* PROMPTER_INVOCATION */