[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Put a limit to ticket life span.
|
From: |
Mats Erik Andersson |
|
Subject: |
Put a limit to ticket life span. |
|
Date: |
Sat, 27 Oct 2012 16:49:55 +0200 |
|
User-agent: |
Mutt/1.5.18 (2008-05-17) |
I have brought this up before:
A native Solaris' Kerberos ticket request, will be granted
by "shishid" with a life span of 25 years, since libshishi
does not perform sanitation. It is "shishid" that malfunc-
tions, not the external client!
The following patch resets the requested expiration time for
any request that asks for more than a five-fold of the default
life span, simply by resetting the interval to the configured
default value. I have tested this with "kinit" on OpenIndiana
and "shishid" on Debian.
Regards,
Mats Erik Andersson
>From c2fe645f49e803ee331e3595c03a408b1140096b Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <address@hidden>
Date: Sat, 27 Oct 2012 16:38:18 +0200
Subject: [PATCH] encticketpart: Limit excessive life span.
---
lib/encticketpart.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/lib/encticketpart.c b/lib/encticketpart.c
index 4f7dc8e..4752caf 100644
--- a/lib/encticketpart.c
+++ b/lib/encticketpart.c
@@ -288,7 +288,9 @@ shishi_encticketpart_authtime_set (Shishi * handle,
* @encticketpart: input EncTicketPart variable.
* @endtime: character buffer containing a generalized time string.
*
- * Set the EncTicketPart.endtime to supplied value.
+ * Set the EncTicketPart.endtime to a supplied value.
+ * A life span in excess of five default ticket life spans
+ * is reset to the configured default value.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
@@ -298,6 +300,14 @@ shishi_encticketpart_endtime_set (Shishi * handle,
const char *endtime)
{
int res;
+ time_t limit, asked;
+
+ asked = shishi_generalize_ctime (handle, endtime);
+ limit = time (NULL) + handle->ticketlife;
+
+ /* Is the life span excessive? Then standardize it. */
+ if (asked > time (NULL) + 5 * handle->ticketlife)
+ endtime = shishi_generalize_time (handle, limit);
res = shishi_asn1_write (handle, encticketpart, "endtime",
endtime, SHISHI_GENERALIZEDTIME_LENGTH);
--
1.7.2.5
- Put a limit to ticket life span.,
Mats Erik Andersson <=