Dear all,
let me make a proposal for extending the API,
based on three facts:
* The utility 'kinit' of Solaris', using a variant
of MIT Kerberos, is per default producing a
TGT-REQ with fields
req-body.endtime = 2037-12-31 00:00:00
req-body.rtime = 2037-12-31 00:00:00
unless overriden by '-l lifetime' and
'-r renewable_life'.
* In 'src/kdc.c', function asreq1(), the client
request is supposed to be adapted to local
policy regarding TGT expiry and renewal limit.
This is outlined in the comments, but is not
implemented in practice.
* 'src/kdc.c' has no access to "lib/internal.h",
whence 'shishid' has no possibility to read
neither 'handle.ticketlife' nor 'handle.renewlife'.
To implement the indicated expiry policy I imagine
four new API calls:
time_t shishi_endctime_realm (Shishi *handle, char *realm)
time_t shishi_renewctime_realm (Shishi *handle, char *realm)
time_t shishi_endctime_hint (Shishi *handle, Shishi_tkts_hint *hint)
time_t shishi_renewctime_hint (Shishi *handle, Shishi_tkts_hint *hint)
Better functions? Previously implemented alternatives?
The configuration items
ticket-life=TIME
renew-life=TIME
would state the default, server specific timing, while the new items
realm-ticket-life=REALM,TIME
realm-renew-life=REALM,TIME
could cover realm specific limits. A further detail requires
scrutiny: Which upper limit is suitable for absolute upper
limit for expiry time? I am inclined to use
'now' + 4 * 'default ticket life interval'
where the factor four is open for discussion.
Best regards,
Mats E A
_______________________________________________
Help-shishi mailing list
Help-shishi@gnu.org
https://lists.gnu.org/mailman/listinfo/help-shishi
