[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PK-Init and proxy certs question


I have a question (or maybe it is a bug) regarding the tgt generation
out of globus proxy certificates. That's what I did:

[brutus-vm10] ~ % date
Tue Sep 25 15:23:45 CEST 2007
[brutus-vm10] ~ % grid-proxy-init -rfc
Your identity: /O=GermanGrid/OU=DESY/CN=Andreas Haupt
Enter GRID pass phrase for this identity:
Creating proxy ....................................... Done
Your proxy is valid until: Wed Sep 26 03:23:50 2007
[brutus-vm10] ~ % grid-proxy-info     
subject  : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=1396311403
issuer   : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_p31139.fileiLYtv0.1
timeleft : 11:59:55
[brutus-vm10] ~ % kinit -C FILE:/tmp/x509up_p31139.fileiLYtv0.1 ahaupt@IFH.DE
[brutus-vm10] ~ % klist
Credentials cache: FILE:/tmp/krb5cc_9132_rd3v5E
        Principal: ahaupt@IFH.DE

  Issued           Expires          Principal
Sep 25 15:24:00  Sep 26 16:23:59  krbtgt/IFH.DE@IFH.DE
Sep 25 15:24:01  Sep 26 16:23:59  afs@IFH.DE

What you can see is that the TGT is valid for a longer time (actually
the default ticket lifetime) than the original proxy certificate. Is it
a misconfiguration? Or a bug?

BTW: I've written a PAM module that generates a K5 TGT out of a
delegated globus proxy (e.g. by gsissh) at login. With the help of
pam_krb5afs you can even obtain AFS an token. It is called
pam_gridpxy2krb5 and can be downloaded from here:


Please feel free to use or modify it.


| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216