diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-05-11 18:07:30 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-05-11 18:07:30 +0000 |
| commit | 39629e9df44ce8c4ad72fde951390acc6864407d (patch) | |
| tree | 68f29efeaa036fcb600a89353d018edfba8d76a3 /src | |
| parent | 70e46d97b6907da651069d1c0d74163b9edae5ea (diff) | |
| download | krb5-39629e9df44ce8c4ad72fde951390acc6864407d.tar.gz krb5-39629e9df44ce8c4ad72fde951390acc6864407d.tar.xz krb5-39629e9df44ce8c4ad72fde951390acc6864407d.zip | |
Omit start time in common AS requests
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
ticket: 7130
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 14 | ||||
| -rw-r--r-- | src/tests/t_skew.py | 34 |
2 files changed, 33 insertions, 15 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 21b92e033..1ae8021a7 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -666,6 +666,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, krb5_error_code code = 0; unsigned char random_buf[4]; krb5_data random_data; + krb5_timestamp from; + if (ctx->preauth_to_use) { krb5_free_pa_data(context, ctx->preauth_to_use); ctx->preauth_to_use = NULL; @@ -728,14 +730,16 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, ctx->opte, ctx->request); - ctx->request->from = krb5int_addint32(ctx->request_time, - ctx->start_time); - ctx->request->till = krb5int_addint32(ctx->request->from, - ctx->tkt_life); + /* Omit request start time in the common case. MIT and Heimdal KDCs will + * ignore it for non-postdated tickets anyway. */ + from = krb5int_addint32(ctx->request_time, ctx->start_time); + if (ctx->start_time != 0) + ctx->request->from = from; + ctx->request->till = krb5int_addint32(from, ctx->tkt_life); if (ctx->renew_life > 0) { ctx->request->rtime = - krb5int_addint32(ctx->request->from, ctx->renew_life); + krb5int_addint32(from, ctx->renew_life); if (ctx->request->rtime < ctx->request->till) { /* don't ask for a smaller renewable time than the lifetime */ ctx->request->rtime = ctx->request->till; diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py index 668e553a1..18bd92287 100644 --- a/src/tests/t_skew.py +++ b/src/tests/t_skew.py @@ -28,17 +28,31 @@ conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}} realm = K5Realm(start_kdc=False, krb5_conf=conf) realm.start_kdc(['-T', '-3600']) -# kinit (no preauth) should work, but kvno should not. kinit with -# FAST should also fail since the armor AP-REQ won't be valid. -realm.kinit(realm.user_princ, password('user')) -realm.run_as_client([kvno, realm.host_princ], expected_code=1) -realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache], - expected_code=1) - -# kinit (with preauth) should fail, with or without FAST. +# Get tickets to use for FAST kinit tests. The start time offset is +# ignored by the KDC since we aren't getting postdatable tickets, but +# serves to suppress the client clock skew check on the KDC reply. +fast_cache = realm.ccache + '.fast' +realm.kinit(realm.user_princ, password('user'), + flags=['-s', '-3600s', '-c', fast_cache]) + +# kinit should detect too much skew in the KDC response. kinit with +# FAST should fail from the KDC since the armor AP-REQ won't be valid. +out = realm.kinit(realm.user_princ, password('user'), expected_code=1) +if 'Clock skew too great in KDC reply' not in out: + fail('Expected error message not seen in kinit skew case') +out = realm.kinit(realm.user_princ, password('user'), flags=['-T', fast_cache], + expected_code=1) +if 'Clock skew too great while' not in out: + fail('Expected error message not seen in kinit FAST skew case') + +# kinit (with preauth) should fail from the KDC, with or without FAST. realm.run_kadminl('modprinc +requires_preauth user') -realm.kinit(realm.user_princ, password('user'), expected_code=1) -realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache], +out = realm.kinit(realm.user_princ, password('user'), expected_code=1) +if 'Clock skew too great while' not in out: + fail('Expected error message not seen in kinit skew case (preauth)') +realm.kinit(realm.user_princ, password('user'), flags=['-T', fast_cache], expected_code=1) +if 'Clock skew too great while' not in out: + fail('Expected error message not seen in kinit FAST skew case (preauth)') success('Clock skew tests') |