Note that krb4 expiration needs to be more conservative than krb5

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15878 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 82a8d2b81e5b50aaaf5ee3096a4012fc5efa83f8..0b8744c25cfe088119bd0f3df80817228f72e357 100644 (file)
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,7 @@
+2003-12-11  Sam Hartman  <hartmans@mit.edu>
+
+       * rd_req.c (krb_rd_req_with_key): Note that the expiration difference between krb5 and krb4 is important
+
 2003-08-15  Alexandra Ellwood  <lxs@mit.edu>
 
         * mk_auth.c: krb_check_auth clears the return value for the 

diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c
index 92faf0cd97e950cabd1a5cca4da18d89d6bb1942..a1d70c643f8e8bdb0339147fa7bcdc67360322ec 100644 (file)
--- a/src/lib/krb4/rd_req.c
+++ b/src/lib/krb4/rd_req.c
@@ -402,6 +402,20 @@ krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key)
            goto cleanup;
     } else if (krb_life_to_time((KRB4_32)ad->time_sec, ad->life)
             < t_local + CLOCK_SKEW) {
+        /*
+        * This calculation is different than the same expiration
+        * calculation in  krb5.  In krb5  the ticket lasts for
+        * clock_skew seconds longer than its expiration; in krb4 it
+        * lasts clock_skew seconds less.  This difference is
+        * necessary to avoid using an almost expired tgt to get a new
+        * tgt that will last for another 5 minutes.  This code
+        * interacts with the login in src/kdc/kerberos_v4.c to
+        * back-date tickets to avoid them expiring late.  The
+        * combination may be overly conservative, but I'm fairly sure
+        * either  removing the kerberos_v4 backdating or replacing
+        * this check with the krb5 check is sufficient to create a
+        * security problem.
+        */
        ret = RD_AP_EXP;
        goto cleanup;
     }