Bug 80155
Summary: | pam_krb5afs token length does not obay ticket_lifetime setting | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Mark Nejedlo <nejedlo> |
Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-08-27 18:27:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark Nejedlo
2002-12-20 20:11:08 UTC
After further investigation, I have a fairly good idea what is happening. My default ticket lifetime above is used in a call to krb_mk_in_tkt_preauth, specifically (line 1638-1643 of pam_krb5afs.c from pam_krb5-1.55-1): /* Note: the lifetime is measured in multiples of 5m. */ k4rc = krb_mk_in_tkt_preauth(v4name, v4inst, v4realm, sname, sinst, config->ticket_lifetime / 60 / 5, NULL, 0, ciphertext); The ticket lifetime /60 / 5 = 312. In krb_mk_in_tkt_preauth it is cast into a char when stuffed into the krb4 pkt. Since 312 > 255, it gets truncated to 56, and 56 * 5 = 280, or 4 hours, 40 minutes. I still consider this a bug in that there is no documented limit on token lifetime, and since the limit is in this PAM module, not AFS, since using kinit + aklog (from ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/) is able to do what is desired. Thanks Mark This should be fixed in the current release. krb5 version 1.2 didn't provide support for using AFS-style long lifetimes, but 1.3 does, and pam_krb5 should be using it correctly. |