Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 80155 - pam_krb5afs token length does not obay ticket_lifetime setting
Summary: pam_krb5afs token length does not obay ticket_lifetime setting
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam_krb5
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-20 20:11 UTC by Mark Nejedlo
Modified: 2007-04-18 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-27 18:27:14 UTC


Attachments (Terms of Use)

Description Mark Nejedlo 2002-12-20 20:11:08 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120
Netscape/7.01

Description of problem:
I have my ticket lifetime in krb5.conf set to 26 hours (93600s), but the tokens
I get at login are valid for about 4 hours 40 minutes.  The Krb5 ticket is valid
for the requested 26 hours, but the krb4 ticket for krbtgt and afs are only
valid for 4h, 40m.  When I decreased the ticket_lifetime variable, the token
lifetime got longer, and when I commented it out entirely, it was valid for 10
hours.  If I use the command line tools (kinit and aklog) to get a ticket and
token, they are all valid for 26h.  The pam section of [appdefaults] in
krb5.conf is below.

pam = {
   debug = false
   minimum_uid=1001
   ticket_lifetime = 93600
   renew_lifetime = 93600
   forwardable = true
   krb4_convert = true
   afs_cells = physics.wisc.edu
   validate = true
 }


Version-Release number of selected component (if applicable):
1.55-1


How reproducible:
Always

Steps to Reproduce:
1.use provided ticket lifetime information
2.log in
3.check ticket and token lifetimes
    

Actual Results:  willow:~/(1)% date ; klist;tokens
Fri Dec 20 11:48:34 CST 2002
Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN
Default principal: nejedlo@PHYSICS.WISC.EDU

Valid starting     Expires            Service principal
12/20/02 11:48:23  12/21/02 13:48:23  krbtgt/PHYSICS.WISC.EDU@PHYSICS.WISC.EDU
        renew until 12/21/02 13:48:23


Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl
Principal: nejedlo@PHYSICS.WISC.EDU

  Issued              Expires             Principal
12/20/02 11:48:23  12/20/02 16:28:23  krbtgt.PHYSICS.WISC.EDU@PHYSICS.WISC.EDU
12/20/02 11:48:24  12/20/02 16:28:24  afs@PHYSICS.WISC.EDU

Tokens held by the Cache Manager:

User's (AFS ID 28552) tokens for afs@physics.wisc.edu [Expires Dec 20 16:28]
   --End of list--
willow:~/(2)% 


Expected Results:  willow:~/(6)% kdestroy;unlog
willow:~/(7)% kinit nejedlo -5 -f -p -r 26h -l 26h ; /apps/krb5-1.2.5/bin/aklog
Password for nejedlo@PHYSICS.WISC.EDU: 
willow:~/(8)% date ; klist ; tokens
Fri Dec 20 11:56:39 CST 2002
Ticket cache: FILE:/tmp/krb5cc_28552_iKUkxN
Default principal: nejedlo@PHYSICS.WISC.EDU

Valid starting     Expires            Service principal
12/20/02 11:56:34  12/21/02 13:56:34  krbtgt/PHYSICS.WISC.EDU@PHYSICS.WISC.EDU
        renew until 12/21/02 13:56:34
12/20/02 11:56:37  12/21/02 13:56:34  afs@PHYSICS.WISC.EDU
        renew until 12/21/02 13:56:34


Kerberos 4 ticket cache: /tmp/tkt28552_M8s9Kl
klist: You have no tickets cached

Tokens held by the Cache Manager:

User's (AFS ID 28552) tokens for afs@physics.wisc.edu [Expires Dec 21 13:56]
   --End of list--
willow:~/(9)% 


Additional info:

Comment 1 Mark Nejedlo 2003-01-24 22:18:03 UTC
After further investigation, I have a fairly good idea what is happening.  My
default ticket lifetime above is used in a call to krb_mk_in_tkt_preauth,
specifically (line 1638-1643 of pam_krb5afs.c from pam_krb5-1.55-1):

                        /* Note: the lifetime is measured in multiples of 5m. */
                        k4rc = krb_mk_in_tkt_preauth(v4name, v4inst, v4realm,
                                                     sname, sinst,
                                                     config->ticket_lifetime
                                                     / 60 / 5,
                                                     NULL, 0, ciphertext);

The ticket lifetime /60 / 5 = 312.  In krb_mk_in_tkt_preauth it is cast into a
char when stuffed into the krb4 pkt.  Since 312 > 255, it gets truncated to 56,
and 56 * 5 = 280, or 4 hours, 40 minutes.  I still consider this a bug in that
there is no documented limit on token lifetime, and since the limit is in this
PAM module, not AFS, since using kinit + aklog (from
ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/) is able to do what is desired.  Thanks
Mark

Comment 2 Nalin Dahyabhai 2004-08-27 18:27:14 UTC
This should be fixed in the current release.  krb5 version 1.2 didn't
provide support for using AFS-style long lifetimes, but 1.3 does, and
pam_krb5 should be using it correctly.


Note You need to log in before you can comment on or make changes to this bug.