[ https://issues.apache.org/jira/browse/DIRKRB-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed DIRKRB-761. -------------------------------------- > The ticket lifetime obtained by the Kerberos client may be larger than the > maximum set on the KDC > ------------------------------------------------------------------------------------------------- > > Key: DIRKRB-761 > URL: https://issues.apache.org/jira/browse/DIRKRB-761 > Project: Directory Kerberos > Issue Type: Bug > Affects Versions: 2.0.0, 2.0.1, 2.0.2 > Reporter: Jichao Wang > Priority: Major > Fix For: 2.0.3 > > Time Spent: 10m > Remaining Estimate: 0h > > The ticket lifetime obtained by the Kerberos client may be greater than the > maximum lifetime configured on the KDC (maximum_ticket_lifetime) > The contents of kdc.conf are as follows: > {code:java} > [kdcdefaults] > kdc_host = krb-wjc-kerberos-0 > kdc_udp_port = 88 > kdc_tcp_port = 88 > kdc_realm = HADOOP.COM > encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > preauth_required = false > maximum_renewable_lifetime = 0 > maximum_ticket_lifetime = 86400 > minimum_ticket_lifetime = 0 {code} > Based on the above configuration, the maximum ticket lifetime obtained by the > Kerberos client should be 1 day. However, when I use the following krb5.conf > and methods to obtain the ticket, the lifetime of the ticket is 3 days, which > is larger than the maximum set on KDC of 1 day. > The contents of krb5.conf are as follows: > {code:java} > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 72h > renew_lifetime = 0 > forwardable = false > renewable = false > rdns = false > default_realm = HADOOP.COM > default_ccache_name = /tmp/krb5cc_%{uid} > udp_preference_limit = 1 > [realms] > HADOOP.COM = { > kdc = krb-wjc-kerberos-0 > } {code} > First install the Kerberos client on the Centos7 operating system by running > the following command: > {code:java} > yum install -y krb5-devel krb5-workstation {code} > Then use kinit to get the ticket from KDC and use the klist command to view > the ticket: > {code:java} > [root@localhost wjc]# kinit had...@hadoop.com > Password for had...@hadoop.com: > [root@localhost wjc]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: had...@hadoop.com > Valid starting Expires Service principal > 12/03/2022 16:44:10 12/06/2022 16:44:10 krbtgt/hadoop....@hadoop.com > renew until 12/03/2022 16:44:10 {code} > We can see that the lifetime of the Kerberos ticket is 3 days, which is > larger than the 1 day set in kdc.conf. This may cause security risks. > So I think this is a bug. > Here's how I fix it: > Add a maximum life cycle to the condition of the if statement at > _org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java:173_ to > ensure that the ticket lifetime obtained by the client is not greater than > the maximum lifetime configured on the KDC. > {code:java} > Index: > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java > IDEA additional info: > Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP > <+>UTF-8 > =================================================================== > diff --git > a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java > > b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java > --- > a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java > (revision 8cdcd544d14af1f876e3bbb16c959f30de79577d) > +++ > b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java > (revision 242ef1024a66169516e636030c1e720a94f35ef1) > @@ -169,8 +169,9 @@ > } > > KerberosTime krbEndTime = request.getReqBody().getTill(); > - if (krbEndTime == null || krbEndTime.getTime() == 0) { > - krbEndTime = > krbStartTime.extend(config.getMaximumTicketLifetime() * 1000); > + KerberosTime maxEndTime = > krbStartTime.extend(config.getMaximumTicketLifetime() * 1000); > + if (krbEndTime == null || krbEndTime.getTime() == 0 || > krbEndTime.greaterThan(maxEndTime)) { > + krbEndTime = maxEndTime; > } else if (krbStartTime.greaterThan(krbEndTime)) { > throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID); > }{code} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org