preserve original starttime on renewed TGTs
Sam Hartman
hartmans at MIT.EDU
Sun Nov 21 12:48:25 EST 2010
>>>>> "Frank" == Frank Cusack <frank+krb at linetwo.net> writes:
Frank> On 11/19/10 4:43 PM -0500 Simo Sorce wrote:
>> On Fri, 19 Nov 2010 13:21:34 -0800
>> Frank Cusack <frank+krb at linetwo.net> wrote:
>>
>>> When running 'kinit -R', the KDC resets the starttime on the
>>> returned TGT to "now". I'd like to modify my KDC to preserve
>>> the original starttime instead. That could make a renewed TGT
>>> appear to have longer than the normal maximum configured
>>> lifetime, but it seems like a fairly trivial non-problem. As
>>> opposed to a postdated ticket, this would be now be a predated
>>> ticket.
>>
>> Hi Frank, I am curious to understand why you want to do that.
>> What class of use cases does it solve?
Frank> I would like an application to be able to determine the last
Frank> time the user actually authenticated and make a decision
Frank> based on that. With renewable TGTs you can't determine how
Frank> long ago the user actually interactively authenticated.
Doesn't the authtime field already serve this purpose?
More information about the krbdev
mailing list