Ticket #1096 (closed defect: fixed)

Opened 4 years ago

Last modified 21 months ago

Clock skew in krb5 auth should result in offline operation, not failure

Reported by: sgallagh Owned by: jhrozek
Priority: major Milestone: SSSD 1.12 beta
Component: Kerberos Provider Version: 1.6.3
Keywords: Cc:
Blocked By: Blocking:
Sensitive: Tests Updated: no
Coverity Bug: Patch Submitted: no
Red Hat Bugzilla: 756428 Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Not need Candidate to push out: no
Release Notes:
Temp mark:

Description (last modified by dpal) (diff)

Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428

Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.

We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.

Change History

comment:1 Changed 4 years ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0
  • tests set to 0
  • upgrade set to 0
  • Patch Submitted unset
  • Tests Updated unset
  • Description modified (diff)

comment:2 Changed 4 years ago by mkosek

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=756428 756428]

comment:3 Changed 4 years ago by dpal

  • Milestone changed from SSSD 1.9.0 to SSSD Kerberos improvements

comment:4 Changed 3 years ago by dpal

  • proposed_priority set to Nice to have

comment:5 Changed 3 years ago by dpal

  • proposed_priority changed from Nice to have to Important

Per Stephen's suggestion I am bumping the priority.

comment:6 Changed 3 years ago by dpal

  • Milestone changed from SSSD Kerberos Improvements Feature to SSSD 1.10 beta

Moving all the features planned for 1.10 release into 1.10 beta.

comment:7 Changed 3 years ago by dpal

  • Priority changed from major to minor

comment:8 Changed 3 years ago by dpal

  • Priority changed from minor to major

comment:9 Changed 3 years ago by dpal

  • Chosen set to Not need

comment:10 Changed 3 years ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

Moving tickets that are not a priority for SSSD 1.10 into the next release.

comment:11 Changed 2 years ago by dpal

  • Milestone changed from SSSD 1.13 beta to Interim Bucket
  • Candidate to push out unset
  • Design review unset

Test and if done close otherwise re-triage.

comment:12 Changed 2 years ago by dpal

  • Milestone changed from Interim Bucket to SSSD 1.12 beta

comment:13 Changed 21 months ago by jhrozek

  • Owner changed from somebody to jhrozek

comment:14 Changed 21 months ago by jhrozek

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.