You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2023/02/20 07:34:00 UTC
[jira] [Closed] (DIRKRB-761) The ticket lifetime obtained by the Kerberos client may be larger than the maximum set on the KDC
[ https://issues.apache.org/jira/browse/DIRKRB-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed DIRKRB-761.
--------------------------------------
> The ticket lifetime obtained by the Kerberos client may be larger than the maximum set on the KDC
> -------------------------------------------------------------------------------------------------
>
> Key: DIRKRB-761
> URL: https://issues.apache.org/jira/browse/DIRKRB-761
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2
> Reporter: Jichao Wang
> Priority: Major
> Fix For: 2.0.3
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The ticket lifetime obtained by the Kerberos client may be greater than the maximum lifetime configured on the KDC (maximum_ticket_lifetime)
> The contents of kdc.conf are as follows:
> {code:java}
> [kdcdefaults]
> kdc_host = krb-wjc-kerberos-0
> kdc_udp_port = 88
> kdc_tcp_port = 88
> kdc_realm = HADOOP.COM
> encryption_types = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> preauth_required = false
> maximum_renewable_lifetime = 0
> maximum_ticket_lifetime = 86400
> minimum_ticket_lifetime = 0 {code}
> Based on the above configuration, the maximum ticket lifetime obtained by the Kerberos client should be 1 day. However, when I use the following krb5.conf and methods to obtain the ticket, the lifetime of the ticket is 3 days, which is larger than the maximum set on KDC of 1 day.
> The contents of krb5.conf are as follows:
> {code:java}
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 72h
> renew_lifetime = 0
> forwardable = false
> renewable = false
> rdns = false
> default_realm = HADOOP.COM
> default_ccache_name = /tmp/krb5cc_%{uid}
> udp_preference_limit = 1
> [realms]
> HADOOP.COM = {
> kdc = krb-wjc-kerberos-0
> } {code}
> First install the Kerberos client on the Centos7 operating system by running the following command:
> {code:java}
> yum install -y krb5-devel krb5-workstation {code}
> Then use kinit to get the ticket from KDC and use the klist command to view the ticket:
> {code:java}
> [root@localhost wjc]# kinit hadoop@HADOOP.COM
> Password for hadoop@HADOOP.COM:
> [root@localhost wjc]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hadoop@HADOOP.COM
> Valid starting Expires Service principal
> 12/03/2022 16:44:10 12/06/2022 16:44:10 krbtgt/HADOOP.COM@HADOOP.COM
> renew until 12/03/2022 16:44:10 {code}
> We can see that the lifetime of the Kerberos ticket is 3 days, which is larger than the 1 day set in kdc.conf. This may cause security risks.
> So I think this is a bug.
> Here's how I fix it:
> Add a maximum life cycle to the condition of the if statement at _org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java:173_ to ensure that the ticket lifetime obtained by the client is not greater than the maximum lifetime configured on the KDC.
> {code:java}
> Index: kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
> IDEA additional info:
> Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
> <+>UTF-8
> ===================================================================
> diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
> --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java (revision 8cdcd544d14af1f876e3bbb16c959f30de79577d)
> +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java (revision 242ef1024a66169516e636030c1e720a94f35ef1)
> @@ -169,8 +169,9 @@
> }
>
> KerberosTime krbEndTime = request.getReqBody().getTill();
> - if (krbEndTime == null || krbEndTime.getTime() == 0) {
> - krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
> + KerberosTime maxEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000);
> + if (krbEndTime == null || krbEndTime.getTime() == 0 || krbEndTime.greaterThan(maxEndTime)) {
> + krbEndTime = maxEndTime;
> } else if (krbStartTime.greaterThan(krbEndTime)) {
> throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
> }{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org