Bug 80155

Summary: pam_krb5afs token length does not obay ticket_lifetime setting
Product: [Retired] Red Hat Linux Reporter: Mark Nejedlo <nejedlo>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-27 18:27:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Nejedlo 2002-12-20 20:11:08 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120
Netscape/7.01

Description of problem:
I have my ticket lifetime in krb5.conf set to 26 hours (93600s), but the tokens
I get at login are valid for about 4 hours 40 minutes.  The Krb5 ticket is valid
for the requested 26 hours, but the krb4 ticket for krbtgt and afs are only
valid for 4h, 40m.  When I decreased the ticket_lifetime variable, the token
lifetime got longer, and when I commented it out entirely, it was valid for 10
hours.  If I use the command line tools (kinit and aklog) to get a ticket and
token, they are all valid for 26h.  The pam section of [appdefaults] in
krb5.conf is below.

pam = {
   debug = false
   minimum_uid=1001
   ticket_lifetime = 93600
   renew_lifetime = 93600
   forwardable = true
   krb4_convert = true
   afs_cells = physics.wisc.edu
   validate = true
 }


Version-Release number of selected component (if applicable):
1.55-1


How reproducible:
Always

Steps to Reproduce:
1.use provided ticket lifetime information
2.log in
3.check ticket and token lifetimes
    

Actual Results:  willow:~/(1)% date ; klist;tokens
Fri Dec 20 11:48:34 CST 2002
Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN
Default principal: nejedlo.EDU

Valid starting     Expires            Service principal
12/20/02 11:48:23  12/21/02 13:48:23  krbtgt/PHYSICS.WISC.EDU.EDU
        renew until 12/21/02 13:48:23


Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl
Principal: nejedlo.EDU

  Issued              Expires             Principal
12/20/02 11:48:23  12/20/02 16:28:23  krbtgt.PHYSICS.WISC.EDU.EDU
12/20/02 11:48:24  12/20/02 16:28:24  afs.EDU

Tokens held by the Cache Manager:

User's (AFS ID 28552) tokens for afs.edu [Expires Dec 20 16:28]
   --End of list--
willow:~/(2)% 


Expected Results:  willow:~/(6)% kdestroy;unlog
willow:~/(7)% kinit nejedlo -5 -f -p -r 26h -l 26h ; /apps/krb5-1.2.5/bin/aklog
Password for nejedlo.EDU: 
willow:~/(8)% date ; klist ; tokens
Fri Dec 20 11:56:39 CST 2002
Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN
Default principal: nejedlo.EDU

Valid starting     Expires            Service principal
12/20/02 11:56:34  12/21/02 13:56:34  krbtgt/PHYSICS.WISC.EDU.EDU
        renew until 12/21/02 13:56:34
12/20/02 11:56:37  12/21/02 13:56:34  afs.EDU
        renew until 12/21/02 13:56:34


Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl
klist: You have no tickets cached

Tokens held by the Cache Manager:

User's (AFS ID 28552) tokens for afs.edu [Expires Dec 21 13:56]
   --End of list--
willow:~/(9)% 


Additional info:
Comment 1 Mark Nejedlo 2003-01-24 22:18:03 UTC 
After further investigation, I have a fairly good idea what is happening.  My
default ticket lifetime above is used in a call to krb_mk_in_tkt_preauth,
specifically (line 1638-1643 of pam_krb5afs.c from pam_krb5-1.55-1):

                        /* Note: the lifetime is measured in multiples of 5m. */
                        k4rc = krb_mk_in_tkt_preauth(v4name, v4inst, v4realm,
                                                     sname, sinst,
                                                     config->ticket_lifetime
                                                     / 60 / 5,
                                                     NULL, 0, ciphertext);

The ticket lifetime /60 / 5 = 312.  In krb_mk_in_tkt_preauth it is cast into a
char when stuffed into the krb4 pkt.  Since 312 > 255, it gets truncated to 56,
and 56 * 5 = 280, or 4 hours, 40 minutes.  I still consider this a bug in that
there is no documented limit on token lifetime, and since the limit is in this
PAM module, not AFS, since using kinit + aklog (from
ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/) is able to do what is desired.  Thanks
Mark
Comment 2 Nalin Dahyabhai 2004-08-27 18:27:14 UTC 
This should be fixed in the current release.  krb5 version 1.2 didn't
provide support for using AFS-style long lifetimes, but 1.3 does, and
pam_krb5 should be using it correctly.