RFR 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes
Wang Weijun
weijun.wang at oracle.com
Mon Nov 17 08:23:25 UTC 2014
> On Nov 15, 2014, at 09:25, Valerie Peng <valerie.peng at oracle.com> wrote:
>
> Max,
>
> Most looks fine, just some questions.
>
> - Kinit.java: line 56, it should be "sun.security.krb5.internal.tools.Kinit"?
Correct.
> - Kinit.java: for the switch block from 135 - 142: add a default case to catch illegal values?
Done.
> - Kinit.java: line 163, doesn't the credentials cache exist already?
This line would remove all existing service tickets so they will be re-acquired using the new TGT. I copied this behavior from other vendors.
> - KrbAsReq.java: line 128, what if rtime is 0 (default value)?
Not sure if I understand. There is no default value for "renew_lifetime". If it does not exist inside krb5.conf, then rtime is not reassigned, which is still null.
> - KDC.java: line 879-883, how can you be sure that there is always more than 1 eType and that the 2nd eType is supported.
I'll throw KDC_ERR_ETYPE_NOSUPP.
Thanks
Max
>
> Valerie
>
> On 11/6/2014 10:31 AM, Valerie Peng wrote:
>> OK, I will take a look.
>>
>> Thanks,
>> Valerie
>>
>> On 11/5/2014 10:04 PM, Wang Weijun wrote:
>>> Ping ping...
>>>
>>>> On Oct 20, 2014, at 13:22, Wang Weijun<weijun.wang at oracle.com> wrote:
>>>>
>>>> Anyone can take a look?
>>>>
>>>>> On Sep 25, 2014, at 18:54, Wang Weijun<weijun.wang at oracle.com> wrote:
>>>>>
>>>>> Hi All
>>>>>
>>>>> Please review the code change at
>>>>>
>>>>> http://cr.openjdk.java.net/~weijun/8044500/webrev.00
>>>>>
>>>>> It adds support for ticket_lifetime and renew_lifetime in krb5.conf, and add -r -l -R to kinit (on Windows).
>>>>>
>>>>> Thanks
>>>>> Max
>>>>>
More information about the security-dev
mailing list