Re: Shishi interop server running

help-shishi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shishi interop server running

From:	Mats Erik Andersson
Subject:	Re: Shishi interop server running
Date:	Thu, 16 Aug 2012 04:21:24 +0200
User-agent:	Mutt/1.5.18 (2008-05-17)

torsdag den  9 augusti 2012 klockan 19:52 skrev Mats Erik Andersson detta:
> onsdag den  8 augusti 2012 klockan 15:18 skrev Simon Josefsson detta:
> > All,
> > 
> > I have setup a Shishi KDC for interop purposes on interop.josefsson.org.
> > The server is running Ubuntu 12.04 with Shishi installed from packages.
> 
> There is one issue with ticket life times in the present setup.
> 
> An outdated OpenSolaris, as well as a contemporary OpenIndiana, are
> both receiving TGT:s of almost infinite validity when requested by
> kinit(1) without specifying a desired life time at the command line.
> 
> In fact, the ticket is valid until 2037-12-31, at 00:00. Using
> instead "kinit -l 2h" provides the bounded, and correct expiry time.

The problem is that "src/kdc.c, line 361" accepts whatever end time
the client suggests, conducting no sanity check whatsoever.

I wanted to try the patch stated below, bit I troubled by the
difficulty to include the proper header allowing "handle->ticketlife"
to be evaluated. Hints?

Regards,

  Mats E A


diff --git a/src/kdc.c b/src/kdc.c
index 87222d8..28d11ae 100644
--- a/src/kdc.c
+++ b/src/kdc.c
@@ -342,6 +342,7 @@ asreq1 (Shishi_as * as)
   {
     char *till;
     size_t tilllen;
+    time_t now = time (NULL);
 
     rc = shishi_kdcreq_till (handle, shishi_as_req (as), &till, &tilllen);
     if (rc != SHISHI_OK)
@@ -358,9 +359,15 @@ asreq1 (Shishi_as * as)
        goto fatal;
       }
 
-    rc = shishi_encticketpart_endtime_set (handle,
-                                          shishi_tkt_encticketpart (tkt),
-                                          till);
+    if (difftime (shishi_kdcreq_tillc (handle, shishi_as_req (as)), now)
+               > handle->ticketlife)
+      rc = shishi_encticketpart_endtime_set
+               (handle, shishi_tkt_encticketpart (tkt),
+
+                shishi_generalize_time (handle, now + handle->ticketlife));
+    else
+      rc = shishi_encticketpart_endtime_set
+               (handle, shishi_tkt_encticketpart (tkt), till);
 
     free (till);
   }

[Prev in Thread]

Current Thread

[Next in Thread]

Shishi interop server running, Simon Josefsson, 2012/08/08
- Re: Shishi interop server running, Mats Erik Andersson, 2012/08/09
  - Re: Shishi interop server running, Mats Erik Andersson <=

Prev by Date: Re: Tickets with instance names.
Next by Date: Re: shishid: Usage of syslog facilities.
Previous by thread: Re: Shishi interop server running
Next by thread: Re: Solved: shishi directory rights
Index(es):
- Date
- Thread