Ticket #1096 (closed defect: fixed)

Opened 2 years ago

Last modified 5 months ago

Clock skew in krb5 auth should result in offline operation, not failure

Reported by: sgallagh Owned by: jhrozek
Priority: major Milestone: SSSD 1.12 beta
Component: Kerberos Provider Version: 1.6.3
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 756428
Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Not need Candidate to push out: no
Release Notes:

Description (last modified by dpal) (diff)

Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428

Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.

We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.

Change History

comment:1 Changed 2 years ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0
  • tests set to 0
  • Description modified (diff)
  • upgrade set to 0
  • Patch Submitted unset
  • Tests Updated unset

comment:2 Changed 2 years ago by mkosek

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=756428 756428]

comment:3 Changed 2 years ago by dpal

  • Milestone changed from SSSD 1.9.0 to SSSD Kerberos improvements

comment:4 Changed 20 months ago by dpal

  • proposed_priority set to Nice to have

comment:5 Changed 20 months ago by dpal

  • proposed_priority changed from Nice to have to Important

Per Stephen's suggestion I am bumping the priority.

comment:6 Changed 20 months ago by dpal

  • Milestone changed from SSSD Kerberos Improvements Feature to SSSD 1.10 beta

Moving all the features planned for 1.10 release into 1.10 beta.

comment:7 Changed 20 months ago by dpal

  • Priority changed from major to minor

comment:8 Changed 20 months ago by dpal

  • Priority changed from minor to major

comment:9 Changed 16 months ago by dpal

  • Chosen set to Not need

comment:10 Changed 16 months ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

Moving tickets that are not a priority for SSSD 1.10 into the next release.

comment:11 Changed 9 months ago by dpal

  • Milestone changed from SSSD 1.13 beta to Interim Bucket
  • Design review unset
  • Candidate to push out unset

Test and if done close otherwise re-triage.

comment:12 Changed 9 months ago by dpal

  • Milestone changed from Interim Bucket to SSSD 1.12 beta

comment:13 Changed 5 months ago by jhrozek

  • Owner changed from somebody to jhrozek

comment:14 Changed 5 months ago by jhrozek

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.