Jichao Wang created DIRKRB-761: ---------------------------------- Summary: The ticket validity period obtained by the Kerberos client may be larger than the maximum set on the KDC Key: DIRKRB-761 URL: https://issues.apache.org/jira/browse/DIRKRB-761 Project: Directory Kerberos Issue Type: Bug Affects Versions: 2.0.2, 2.0.1, 2.0.0 Reporter: Jichao Wang Fix For: 2.0.3
The ticket lifetime obtained by the Kerberos client may be greater than the maximum lifetime configured on the KDC (maximum_ticket_lifetime) The contents of kdc.conf are as follows: {code:java} [kdcdefaults] kdc_host = krb-wjc-kerberos-0 kdc_udp_port = 88 kdc_tcp_port = 88 kdc_realm = HADOOP.COM encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 preauth_required = false maximum_renewable_lifetime = 0 maximum_ticket_lifetime = 86400 minimum_ticket_lifetime = 0 {code} Based on the above configuration, the maximum ticket lifetime obtained by the Kerberos client should be 1 day. However, when I use the following krb5.conf and methods to obtain the ticket, the lifetime of the ticket is 3 days, which is larger than the maximum set on KDC of 1 day. The contents of krb5.conf are as follows: {code:java} [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 72h renew_lifetime = 0 forwardable = false renewable = false rdns = false default_realm = HADOOP.COM default_ccache_name = /tmp/krb5cc_%{uid} udp_preference_limit = 1 [realms] HADOOP.COM = { kdc = krb-wjc-kerberos-0 } {code} First install the Kerberos client on the Centos7 operating system by running the following command: yum install -y krb5-devel krb5-workstation Then use kinit to get the ticket from KDC and use the klist command to view the ticket: {code:java} [root@localhost wjc]# kinit had...@hadoop.com Password for had...@hadoop.com: [root@localhost wjc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: had...@hadoop.com Valid starting Expires Service principal 12/03/2022 16:44:10 12/06/2022 16:44:10 krbtgt/hadoop....@hadoop.com renew until 12/03/2022 16:44:10 {code} We can see that the lifetime of the Kerberos ticket is 3 days, which is larger than the 1 day set in kdc.conf. This may cause security risks. So I think this is a bug. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org