You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Jichao Wang (Jira)" <ji...@apache.org> on 2022/12/05 02:09:00 UTC
[jira] [Created] (DIRKRB-761) The ticket validity period obtained by the Kerberos client may be larger than the maximum set on the KDC
Jichao Wang created DIRKRB-761:
----------------------------------
Summary: The ticket validity period obtained by the Kerberos client may be larger than the maximum set on the KDC
Key: DIRKRB-761
URL: https://issues.apache.org/jira/browse/DIRKRB-761
Project: Directory Kerberos
Issue Type: Bug
Affects Versions: 2.0.2, 2.0.1, 2.0.0
Reporter: Jichao Wang
Fix For: 2.0.3
The ticket lifetime obtained by the Kerberos client may be greater than the maximum lifetime configured on the KDC (maximum_ticket_lifetime)
The contents of kdc.conf are as follows:
{code:java}
[kdcdefaults]
kdc_host = krb-wjc-kerberos-0
kdc_udp_port = 88
kdc_tcp_port = 88
kdc_realm = HADOOP.COM
encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
preauth_required = false
maximum_renewable_lifetime = 0
maximum_ticket_lifetime = 86400
minimum_ticket_lifetime = 0 {code}
Based on the above configuration, the maximum ticket lifetime obtained by the Kerberos client should be 1 day. However, when I use the following krb5.conf and methods to obtain the ticket, the lifetime of the ticket is 3 days, which is larger than the maximum set on KDC of 1 day.
The contents of krb5.conf are as follows:
{code:java}
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 72h
renew_lifetime = 0
forwardable = false
renewable = false
rdns = false
default_realm = HADOOP.COM
default_ccache_name = /tmp/krb5cc_%{uid}
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = krb-wjc-kerberos-0
} {code}
First install the Kerberos client on the Centos7 operating system by running the following command:
yum install -y krb5-devel krb5-workstation
Then use kinit to get the ticket from KDC and use the klist command to view the ticket:
{code:java}
[root@localhost wjc]# kinit hadoop@HADOOP.COM
Password for hadoop@HADOOP.COM:
[root@localhost wjc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoop@HADOOP.COM
Valid starting Expires Service principal
12/03/2022 16:44:10 12/06/2022 16:44:10 krbtgt/HADOOP.COM@HADOOP.COM
renew until 12/03/2022 16:44:10 {code}
We can see that the lifetime of the Kerberos ticket is 3 days, which is larger than the 1 day set in kdc.conf. This may cause security risks.
So I think this is a bug.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org