RFR 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes

Valerie Peng valerie.peng at oracle.com
Mon Nov 17 23:43:00 UTC 2014


The default value 0 for the "renew_lifetime" is documented in MIT's 
Kerberos conf documentation. 
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
However, I am not sure how this 0 value should be interpreted/handled.
Valerie
On 11/17/2014 12:23 AM, Wang Weijun wrote:
>> On Nov 15, 2014, at 09:25, Valerie Peng<valerie.peng at oracle.com>  wrote:
>>
>> Max,
>>
>> Most looks fine, just some questions.
>>
>> - Kinit.java: line 56, it should be "sun.security.krb5.internal.tools.Kinit"?
> Correct.
>
>> - Kinit.java: for the switch block from 135 - 142: add a default case to catch illegal values?
> Done.
>
>> - Kinit.java: line 163, doesn't the credentials cache exist already?
> This line would remove all existing service tickets so they will be re-acquired using the new TGT. I copied this behavior from other vendors.
>
>> - KrbAsReq.java: line 128, what if rtime is 0 (default value)?
> Not sure if I understand. There is no default value for "renew_lifetime". If it does not exist inside krb5.conf, then rtime is not reassigned, which is still null.
>
>> - KDC.java: line 879-883, how can you be sure that there is always more than 1 eType and that the 2nd eType is supported.
> I'll throw KDC_ERR_ETYPE_NOSUPP.
>
> Thanks
> Max
>
>> Valerie
>>
>> On 11/6/2014 10:31 AM, Valerie Peng wrote:
>>> OK, I will take a look.
>>>
>>> Thanks,
>>> Valerie
>>>
>>> On 11/5/2014 10:04 PM, Wang Weijun wrote:
>>>> Ping ping...
>>>>
>>>>> On Oct 20, 2014, at 13:22, Wang Weijun<weijun.wang at oracle.com>   wrote:
>>>>>
>>>>> Anyone can take a look?
>>>>>
>>>>>> On Sep 25, 2014, at 18:54, Wang Weijun<weijun.wang at oracle.com>   wrote:
>>>>>>
>>>>>> Hi All
>>>>>>
>>>>>> Please review the code change at
>>>>>>
>>>>>> http://cr.openjdk.java.net/~weijun/8044500/webrev.00
>>>>>>
>>>>>> It adds support for ticket_lifetime and renew_lifetime in krb5.conf, and add -r -l -R to kinit (on Windows).
>>>>>>
>>>>>> Thanks
>>>>>> Max
>>>>>>


More information about the security-dev mailing list