You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2023/02/20 07:34:00 UTC

[jira] [Closed] (DIRKRB-761) The ticket lifetime obtained by the Kerberos client may be larger than the maximum set on the KDC

     [ https://issues.apache.org/jira/browse/DIRKRB-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed DIRKRB-761.
--------------------------------------

> The ticket lifetime obtained by the Kerberos client may be larger than the maximum set on the KDC
> -------------------------------------------------------------------------------------------------
>
>                 Key: DIRKRB-761
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-761
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 2.0.0, 2.0.1, 2.0.2
>            Reporter: Jichao Wang
>            Priority: Major
>             Fix For: 2.0.3
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The ticket lifetime obtained by the Kerberos client may be greater than the maximum lifetime configured on the KDC (maximum_ticket_lifetime)
> The contents of kdc.conf are as follows:
> {code:java}
> [kdcdefaults]
>   kdc_host = krb-wjc-kerberos-0
>   kdc_udp_port = 88
>   kdc_tcp_port = 88
>   kdc_realm = HADOOP.COM
>   encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>   preauth_required = false
>   maximum_renewable_lifetime = 0
>   maximum_ticket_lifetime = 86400
>   minimum_ticket_lifetime = 0 {code}
> Based on the above configuration, the maximum ticket lifetime obtained by the Kerberos client should be 1 day. However, when I use the following krb5.conf and methods to obtain the ticket, the lifetime of the ticket is 3 days, which is larger than the maximum set on KDC of 1 day.
> The contents of krb5.conf are as follows:
> {code:java}
> [libdefaults]
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 72h
>  renew_lifetime = 0
>  forwardable = false
>  renewable = false
>  rdns = false
>  default_realm = HADOOP.COM
>  default_ccache_name = /tmp/krb5cc_%{uid}
>  udp_preference_limit = 1
> [realms]
>  HADOOP.COM = {
>   kdc = krb-wjc-kerberos-0
>  } {code}
> First install the Kerberos client on the Centos7 operating system by running the following command:
> {code:java}
> yum install -y krb5-devel krb5-workstation {code}
> Then use kinit to get the ticket from KDC and use the klist command to view the ticket:
> {code:java}
> [root@localhost wjc]# kinit hadoop@HADOOP.COM
> Password for hadoop@HADOOP.COM:
> [root@localhost wjc]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hadoop@HADOOP.COM
> Valid starting       Expires              Service principal
> 12/03/2022 16:44:10  12/06/2022 16:44:10  krbtgt/HADOOP.COM@HADOOP.COM
>         renew until 12/03/2022 16:44:10 {code}
> We can see that the lifetime of the Kerberos ticket is 3 days, which is larger than the 1 day set in kdc.conf. This may cause security risks.
> So I think this is a bug.
> Here's how I fix it:
> Add a maximum life cycle to the condition of the if statement at _org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java:173_ to ensure that the ticket lifetime obtained by the client is not greater than the maximum lifetime configured on the KDC.
> {code:java}
> Index: kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
> IDEA additional info:
> Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
> <+>UTF-8
> ===================================================================
> diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
> --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java    (revision 8cdcd544d14af1f876e3bbb16c959f30de79577d)
> +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java    (revision 242ef1024a66169516e636030c1e720a94f35ef1)
> @@ -169,8 +169,9 @@
>          }
>  
>          KerberosTime krbEndTime = request.getReqBody().getTill();
> -        if (krbEndTime == null || krbEndTime.getTime() == 0) {
> -            krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
> +        KerberosTime maxEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
> +        if (krbEndTime == null || krbEndTime.getTime() == 0 || krbEndTime.greaterThan(maxEndTime)) {
> +            krbEndTime = maxEndTime;
>          } else if (krbStartTime.greaterThan(krbEndTime)) {
>              throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
>          }{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org