From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 11 Dec 2003 22:12:35 +0000 (+0000)
Subject: Note that krb4 expiration needs to be more conservative than krb5
X-Git-Tag: krb5-1.4-beta1~723
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=4be977325ba0b302cd66358d018580618a195b63;p=krb5.git

Note that krb4 expiration needs to be more conservative than krb5

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15878 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 82a8d2b81..0b8744c25 100644
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,7 @@
+2003-12-11  Sam Hartman  <hartmans@mit.edu>
+
+	* rd_req.c (krb_rd_req_with_key): Note that the expiration difference between krb5 and krb4 is important
+
 2003-08-15  Alexandra Ellwood  <lxs@mit.edu>
 
         * mk_auth.c: krb_check_auth clears the return value for the 
diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c
index 92faf0cd9..a1d70c643 100644
--- a/src/lib/krb4/rd_req.c
+++ b/src/lib/krb4/rd_req.c
@@ -402,6 +402,20 @@ krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key)
 	    goto cleanup;
     } else if (krb_life_to_time((KRB4_32)ad->time_sec, ad->life)
 	     < t_local + CLOCK_SKEW) {
+        /*
+	 * This calculation is different than the same expiration
+	 * calculation in  krb5.  In krb5  the ticket lasts for
+	 * clock_skew seconds longer than its expiration; in krb4 it
+	 * lasts clock_skew seconds less.  This difference is
+	 * necessary to avoid using an almost expired tgt to get a new
+	 * tgt that will last for another 5 minutes.  This code
+	 * interacts with the login in src/kdc/kerberos_v4.c to
+	 * back-date tickets to avoid them expiring late.  The
+	 * combination may be overly conservative, but I'm fairly sure
+	 * either  removing the kerberos_v4 backdating or replacing
+	 * this check with the krb5 check is sufficient to create a
+	 * security problem.
+	 */
 	ret = RD_AP_EXP;
 	goto cleanup;
     }