[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: re-requests of expired keys.
On Wed, 11 May 2005 21:24:39 +0200 =?iso-8859-1?q?Love_H=F6rnquist_=C5strand?=
wrote:
>
>
> Anders Magnusson <ragge@ltu.se> writes:
>
> > I wrote a patch to solve this problem. I'm not sure of the correctness,
> > so I leave it to the Heimdal gurus to verify it :-) With this, the key
> > is removed (and refetched) if it is not valid anymore.
>
> I wrote a competing patch, can you try it out (works for me) ?
>
Works great! Thanks!
-- Ragge
>
> --- lib/krb5/get_cred.c 2 Feb 2005 07:30:04
> +++ lib/krb5/get_cred.c 11 May 2005 19:20:39
> @@ -841,13 +841,25 @@
> ccache,
> options,
> in_creds, res_creds);
> + /*
> + * If we got a credential, check if credential is expired before
> + * returning it.
> + */
> if(ret == 0) {
> + krb5_timestamp timeret;
> +
> + krb5_timeofday(context, &timeret);
> + if (res_creds->times.endtime > timeret) {
> *out_creds = res_creds;
> return 0;
> }
> + if ((options & KRB5_GC_CACHED) == 0)
> + ret = krb5_cc_remove_cred(context, ccache, 0, res_creds);
> + free(res_creds);
> + } else if (ret != KRB5_CC_END) {
> free(res_creds);
> - if(ret != KRB5_CC_END)
> return ret;
> + }
> if(options & KRB5_GC_CACHED) {
> krb5_clear_error_string (context);
> return KRB5_CC_NOTFOUND;
>
>
> >
> > -- Ragge
> >
> >
> > *** get_cred.c.orig Tue May 10 13:12:53 2005
> > --- get_cred.c Tue May 10 14:51:03 2005
> > ***************
> > *** 835,840 ****
> > --- 835,860 ----
> > in_creds->session.keytype ?
> > KRB5_TC_MATCH_KEYTYPE : 0,
> > in_creds, res_creds);
> > + if (ret == 0) {
> > + krb5_error_code ret2;
> > + krb5_timestamp timeret;
> > +
> > + /* Check if credential is expired */
> > + if((ret2 = krb5_timeofday(context, &timeret))) {
> > + free(res_creds);
> > + return ret2;
> > + }
> > +
> > + if (res_creds->times.endtime < timeret) {
> > + /* delete old principal and refetch */
> > + if((ret2 = krb5_cc_remove_cred(context, ccache, 0, res_creds))){
> > + free(res_creds);
> > + return ret2;
> > + }
> > + ret = KRB5_CC_END; /* XXX */
> > + }
> > + }
> > +
> > if(ret == 0) {
> > *out_creds = res_creds;
> > return 0;
> >
> >
> >
> >
> > On Mon, May 09, 2005 at 09:15:10AM +0200, Anders Magnusson wrote:
> >> I should note that this is with Heimdal 0.6.3, tested on both Solaris and
> >> NetBSD.
> >>
> >> -- Ragge
> >>
> >> On Wed, 04 May 2005 12:07:02 +0200 Anders Magnusson wrote:
> >> >
> >> > I have an annoying problem: expired tickets do not get re-requested even if
> >> > the tgt is not expired. For example; if the ccache contains this:
> >> >
> >> > ulrik.dc.luth.se:/home/ragge >klist
> >> > Credentials cache: FILE:/tmp/krb5cc_30
> >> > Principal: ragge@LTU.SE
> >> >
> >> > Issued Expires Principal
> >> > May 3 13:59:48 May 3 23:58:32 krbtgt/LTU.SE@LTU.SE
> >> > May 3 13:59:48 May 3 23:58:32 krbtgt/LTU.SE@LTU.SE
> >> > May 3 14:01:06 >>>Expired<<< host/osiris.dc.ltu.se@LTU.SE
> >> >
> >> > then I can't get kerberos to work when trying to connect to osiris. OpenSSH 4
> >> > -v says:
> >> >
> >> > ...
> >> > debug1: Next authentication method: gssapi-with-mic
> >> > debug1: Delegating credentials
> >> > debug1: The context has expired
> >> > Undefined error: 0
> >> > ...
> >> >
> >> > and telnet says the same:
> >> >
> >> > ulrik.dc.luth.se:/home/ragge >telnet osiris
> >> > Trying 130.240.112.182...
> >> > Connected to osiris.dc.ltu.se.
> >> > Escape character is '^]'.
> >> > [ Trying KERBEROS5 ... ]
> >> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
> >> > [ Trying KERBEROS5 ... ]
> >> > [ Kerberos V5 refuses authentication because Read req failed: Ticket expired ]
> >> >
> >> > Shouldn't the expired ticket get re-requested?
> >> >
> >> > -- Ragge
> >> >
> >> >
> >>