Red Hat Bugzilla – Bug 80155
pam_krb5afs token length does not obay ticket_lifetime setting
Last modified: 2007-04-18 12:49:12 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 Description of problem: I have my ticket lifetime in krb5.conf set to 26 hours (93600s), but the tokens I get at login are valid for about 4 hours 40 minutes. The Krb5 ticket is valid for the requested 26 hours, but the krb4 ticket for krbtgt and afs are only valid for 4h, 40m. When I decreased the ticket_lifetime variable, the token lifetime got longer, and when I commented it out entirely, it was valid for 10 hours. If I use the command line tools (kinit and aklog) to get a ticket and token, they are all valid for 26h. The pam section of [appdefaults] in krb5.conf is below. pam = { debug = false minimum_uid=1001 ticket_lifetime = 93600 renew_lifetime = 93600 forwardable = true krb4_convert = true afs_cells = physics.wisc.edu validate = true } Version-Release number of selected component (if applicable): 1.55-1 How reproducible: Always Steps to Reproduce: 1.use provided ticket lifetime information 2.log in 3.check ticket and token lifetimes Actual Results: willow:~/(1)% date ; klist;tokens Fri Dec 20 11:48:34 CST 2002 Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN Default principal: nejedlo@PHYSICS.WISC.EDU Valid starting Expires Service principal 12/20/02 11:48:23 12/21/02 13:48:23 krbtgt/PHYSICS.WISC.EDU@PHYSICS.WISC.EDU renew until 12/21/02 13:48:23 Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl Principal: nejedlo@PHYSICS.WISC.EDU Issued Expires Principal 12/20/02 11:48:23 12/20/02 16:28:23 krbtgt.PHYSICS.WISC.EDU@PHYSICS.WISC.EDU 12/20/02 11:48:24 12/20/02 16:28:24 afs@PHYSICS.WISC.EDU Tokens held by the Cache Manager: User's (AFS ID 28552) tokens for afs@physics.wisc.edu [Expires Dec 20 16:28] --End of list-- willow:~/(2)% Expected Results: willow:~/(6)% kdestroy;unlog willow:~/(7)% kinit nejedlo -5 -f -p -r 26h -l 26h ; /apps/krb5-1.2.5/bin/aklog Password for nejedlo@PHYSICS.WISC.EDU: willow:~/(8)% date ; klist ; tokens Fri Dec 20 11:56:39 CST 2002 Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN Default principal: nejedlo@PHYSICS.WISC.EDU Valid starting Expires Service principal 12/20/02 11:56:34 12/21/02 13:56:34 krbtgt/PHYSICS.WISC.EDU@PHYSICS.WISC.EDU renew until 12/21/02 13:56:34 12/20/02 11:56:37 12/21/02 13:56:34 afs@PHYSICS.WISC.EDU renew until 12/21/02 13:56:34 Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl klist: You have no tickets cached Tokens held by the Cache Manager: User's (AFS ID 28552) tokens for afs@physics.wisc.edu [Expires Dec 21 13:56] --End of list-- willow:~/(9)% Additional info:
After further investigation, I have a fairly good idea what is happening. My default ticket lifetime above is used in a call to krb_mk_in_tkt_preauth, specifically (line 1638-1643 of pam_krb5afs.c from pam_krb5-1.55-1): /* Note: the lifetime is measured in multiples of 5m. */ k4rc = krb_mk_in_tkt_preauth(v4name, v4inst, v4realm, sname, sinst, config->ticket_lifetime / 60 / 5, NULL, 0, ciphertext); The ticket lifetime /60 / 5 = 312. In krb_mk_in_tkt_preauth it is cast into a char when stuffed into the krb4 pkt. Since 312 > 255, it gets truncated to 56, and 56 * 5 = 280, or 4 hours, 40 minutes. I still consider this a bug in that there is no documented limit on token lifetime, and since the limit is in this PAM module, not AFS, since using kinit + aklog (from ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/) is able to do what is desired. Thanks Mark
This should be fixed in the current release. krb5 version 1.2 didn't provide support for using AFS-style long lifetimes, but 1.3 does, and pam_krb5 should be using it correctly.