>Number:         35968
>Category:       lib
>Synopsis:       add option to pam_krb5(8) to request renewable tickets (patch supplied)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 10 13:45:00 +0000 2007
>Originator:     Jukka Salmi
>Release:        NetBSD 4.99.13
>Environment:
System: NetBSD moray.salmi.ch 4.99.13 NetBSD 4.99.13 (MORAY.APM) #0: Thu Mar 8 14:20:43 CET 2007 build@moray.salmi.ch:/build/nbsd/i386/sys/arch/i386/compile/MORAY.APM i386
>Description:
While there is an option to pam_krb5(8) to request forwardable tickets,
it's impossible to request renewable tickets.

>How-To-Repeat:
Log in to a system using PAM Kerberos V authentication and try to renew
the ticket:

$ kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

This fails because the `renewable' flag on the ticket is not set.

>Fix:
The following patch adds an option to pam_krb5(8) to choose whether
requested tickets should be renewable or not. The lifetime used (one
month) is what kinit(1) uses as a default.

It's also available from
http://salmi.ch/~jukka/patches/nbsd/HEAD/lib/libpam/modules/pam_krb5/renewable_opt.patch

Index: lib/libpam/modules/pam_krb5/pam_krb5.8
===================================================================
RCS file: /cvsroot/src/lib/libpam/modules/pam_krb5/pam_krb5.8,v
retrieving revision 1.6
diff -u -p -r1.6 pam_krb5.8
--- lib/libpam/modules/pam_krb5/pam_krb5.8	28 Feb 2005 10:32:13 -0000	1.6
+++ lib/libpam/modules/pam_krb5/pam_krb5.8	10 Mar 2007 13:19:09 -0000
@@ -82,6 +82,8 @@ option, except that if the previously ob
 user is prompted for another password.
 .It Cm forwardable
 Obtain forwardable Kerberos credentials for the user.
+.It Cm renewable
+Obtain renewable Kerberos credentials for the user.
 .It Cm no_ccache
 Do not save the obtained credentials in a credentials cache.
 This is a
Index: lib/libpam/modules/pam_krb5/pam_krb5.c
===================================================================
RCS file: /cvsroot/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
retrieving revision 1.18
diff -u -p -r1.18 pam_krb5.c
--- lib/libpam/modules/pam_krb5/pam_krb5.c	3 Nov 2006 18:55:40 -0000	1.18
+++ lib/libpam/modules/pam_krb5/pam_krb5.c	10 Mar 2007 13:19:10 -0000
@@ -69,6 +69,7 @@ __RCSID("$NetBSD: pam_krb5.c,v 1.18 2006
 
 #include <krb5/krb5.h>
 #include <krb5/com_err.h>
+#include <krb5/parse_time.h>
 
 #define	PAM_SM_AUTH
 #define	PAM_SM_ACCOUNT
@@ -94,6 +95,7 @@ static void	compat_free_data_contents(kr
 #define PAM_OPT_CCACHE		"ccache"
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
+#define PAM_OPT_RENEWABLE	"renewable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
@@ -152,6 +154,12 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
 		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
 
+	if (openpam_get_option(pamh, PAM_OPT_RENEWABLE)) {
+		krb5_deltat renew;
+		renew = parse_time("1 month", "s");
+		krb5_get_init_creds_opt_set_renew_life(&opts, renew);
+	}
+
 	PAM_LOG("Credentials initialised");
 
 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);