[jira] [Created] (DIRKRB-761) The ticket validity period obtained by the Kerberos client may be larger than the maximum set on the KDC

[Jichao Wang (Jira)]

Jichao Wang created DIRKRB-761:
----------------------------------

             Summary: The ticket validity period obtained by the Kerberos 
client may be larger than the maximum set on the KDC
                 Key: DIRKRB-761
                 URL: https://issues.apache.org/jira/browse/DIRKRB-761
             Project: Directory Kerberos
          Issue Type: Bug
    Affects Versions: 2.0.2, 2.0.1, 2.0.0
            Reporter: Jichao Wang
             Fix For: 2.0.3


The ticket lifetime obtained by the Kerberos client may be greater than the 
maximum lifetime configured on the KDC (maximum_ticket_lifetime)
The contents of kdc.conf are as follows:
{code:java}
[kdcdefaults]
  kdc_host = krb-wjc-kerberos-0
  kdc_udp_port = 88
  kdc_tcp_port = 88
  kdc_realm = HADOOP.COM
  encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  preauth_required = false
  maximum_renewable_lifetime = 0
  maximum_ticket_lifetime = 86400
  minimum_ticket_lifetime = 0 {code}
Based on the above configuration, the maximum ticket lifetime obtained by the 
Kerberos client should be 1 day. However, when I use the following krb5.conf 
and methods to obtain the ticket, the lifetime of the ticket is 3 days, which 
is larger than the maximum set on KDC of 1 day.

The contents of krb5.conf are as follows:
{code:java}
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 72h
 renew_lifetime = 0
 forwardable = false
 renewable = false
 rdns = false
 default_realm = HADOOP.COM
 default_ccache_name = /tmp/krb5cc_%{uid}
 udp_preference_limit = 1
[realms]
 HADOOP.COM = {
  kdc = krb-wjc-kerberos-0
 } {code}
First install the Kerberos client on the Centos7 operating system by running 
the following command:
yum install -y krb5-devel krb5-workstation
Then use kinit to get the ticket from KDC and use the klist command to view the 
ticket:
{code:java}
[root@localhost wjc]# kinit had...@hadoop.com
Password for had...@hadoop.com:
[root@localhost wjc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: had...@hadoop.com
Valid starting       Expires              Service principal
12/03/2022 16:44:10  12/06/2022 16:44:10  krbtgt/hadoop....@hadoop.com
        renew until 12/03/2022 16:44:10 {code}
We can see that the lifetime of the Kerberos ticket is 3 days, which is larger 
than the 1 day set in kdc.conf. This may cause security risks.

So I think this is a bug.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org