RFR 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes
Wang Weijun
weijun.wang at oracle.com
Tue Dec 2 08:21:46 UTC 2014
Are you OK with this difference?
Thanks
Max
> On Nov 18, 2014, at 15:02, Wang Weijun <weijun.wang at oracle.com> wrote:
>
>
>> On Nov 18, 2014, at 07:43, Valerie Peng <valerie.peng at oracle.com> wrote:
>>
>>
>> The default value 0 for the "renew_lifetime" is documented in MIT's Kerberos conf documentation. http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
>> However, I am not sure how this 0 value should be interpreted/handled.
>
> From what I observe, MIT kinit by default sends a null rtime. So it is the same as us.
>
> On the other hand, MIT kinit default sets RENEWABLE_OK, so it always receives a renewable ticket and the renewable lifetime set by KDC. In Java, we only set it when "renewable = true" is included in krb5.conf (see KDCOptions::setDefault), so by default java kinit gets a non-renewable ticket.
>
> Thanks
> Max
>
>
>> Valerie
>> On 11/17/2014 12:23 AM, Wang Weijun wrote:
>>>> On Nov 15, 2014, at 09:25, Valerie Peng<valerie.peng at oracle.com> wrote:
>>>>
>>>> Max,
>>>>
>>>> Most looks fine, just some questions.
>>>>
>>>> - Kinit.java: line 56, it should be "sun.security.krb5.internal.tools.Kinit"?
>>> Correct.
>>>
>>>> - Kinit.java: for the switch block from 135 - 142: add a default case to catch illegal values?
>>> Done.
>>>
>>>> - Kinit.java: line 163, doesn't the credentials cache exist already?
>>> This line would remove all existing service tickets so they will be re-acquired using the new TGT. I copied this behavior from other vendors.
>>>
>>>> - KrbAsReq.java: line 128, what if rtime is 0 (default value)?
>>> Not sure if I understand. There is no default value for "renew_lifetime". If it does not exist inside krb5.conf, then rtime is not reassigned, which is still null.
>>>
>>>> - KDC.java: line 879-883, how can you be sure that there is always more than 1 eType and that the 2nd eType is supported.
>>> I'll throw KDC_ERR_ETYPE_NOSUPP.
>>>
>>> Thanks
>>> Max
>>>
>>>> Valerie
>>>>
>>>> On 11/6/2014 10:31 AM, Valerie Peng wrote:
>>>>> OK, I will take a look.
>>>>>
>>>>> Thanks,
>>>>> Valerie
>>>>>
>>>>> On 11/5/2014 10:04 PM, Wang Weijun wrote:
>>>>>> Ping ping...
>>>>>>
>>>>>>> On Oct 20, 2014, at 13:22, Wang Weijun<weijun.wang at oracle.com> wrote:
>>>>>>>
>>>>>>> Anyone can take a look?
>>>>>>>
>>>>>>>> On Sep 25, 2014, at 18:54, Wang Weijun<weijun.wang at oracle.com> wrote:
>>>>>>>>
>>>>>>>> Hi All
>>>>>>>>
>>>>>>>> Please review the code change at
>>>>>>>>
>>>>>>>> http://cr.openjdk.java.net/~weijun/8044500/webrev.00
>>>>>>>>
>>>>>>>> It adds support for ticket_lifetime and renew_lifetime in krb5.conf, and add -r -l -R to kinit (on Windows).
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Max
>>>>>>>>
>
More information about the security-dev
mailing list