From robert@fledge.watson.org  Fri Mar 13 23:00:47 1998
Received: from fledge.watson.org (robert@FLEDGE.RES.CMU.EDU [128.2.91.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA23543
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 13 Mar 1998 23:00:45 -0800 (PST)
          (envelope-from robert@fledge.watson.org)
Received: (from robert@localhost) by fledge.watson.org (8.8.8/8.6.10) id CAA27738; Sat, 14 Mar 1998 02:00:46 -0500 (EST)
Message-Id: <199803140700.CAA27738@fledge.watson.org>
Date: Sat, 14 Mar 1998 02:00:46 -0500 (EST)
From: robert@cyrus.watson.org
Reply-To: robert+freebsd@cyrus.watson.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: kerberosIV kadmin -- default entry year-2000 stupid
X-Send-Pr-Version: 3.2

>Number:         6000
>Category:       bin
>Synopsis:       kadmin ank uses bad default expiration of account
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 13 23:10:02 PST 1998
>Closed-Date:    Mon Aug 20 11:18:01 PDT 2001
>Last-Modified:  Mon Aug 20 11:19:32 PDT 2001
>Originator:     Robert Watson
>Release:        FreeBSD 2.2.5-STABLE i386
>Organization:
>Environment:
kerberosIV, -stable, KTH

Multiple -STABLE machines w/-STABLE KTH implementation

>Description:

kadmin uses a bad default principal expiration (year 2000) -- this is not
useful as that is in a year+1/2.  I don't want the default to be to expire
all my accounts that soon :).  The old kadmin would not create an account
with an expiration later than that of the admin ticket used to create it,
and would default to the same expiration as that ticket.  The new one just
uses the year 2000 + current day/month/time as the expiration.

>How-To-Repeat:

fledge:~> kadmin
Welcome to the Kerberos Administration Program, version 2
Type "help" if you need it.
kadmin: ank robert.test
robert.admin@WATSON.ORG's Password: 
Maximum ticket lifetime?  (162)  [4+07:34:45]  255
Attributes?  [0x00]  
Expiration date (enter yyyy-mm-dd) ?  [Mon Mar 13 01:54:12 2000]  Thu Dec 31 23:59:00 2009
Expiration date (enter yyyy-mm-dd) ?  [Mon Mar 13 01:54:12 2000]  2009-12-31
Password for robert.test:
Verifying password - Password for robert.test:

>Fix:
	
Change the constant to something more reasonable, like say 2009-12-31, which
is ten years later than the old default (hence my choice for accounts).  Maybe
later still?  Retain the bound preventing creation of tickets that last longer
than the current .admin ticket.

>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: robert+freebsd@cyrus.watson.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: bin/6000: kerberosIV kadmin -- default entry year-2000 stupid
Date: Mon, 16 Mar 1998 09:48:40 -0500 (EST)

 <<On Sat, 14 Mar 1998 02:00:46 -0500 (EST), robert@cyrus.watson.org said:
 
 > Change the constant to something more reasonable, like say 2009-12-31, which
 > is ten years later than the old default (hence my choice for accounts).  Maybe
 
 Unfortunately, this will hose the Kerberos v5 upgrade procedure, which
 knows about the long-standing (since the mid-80s) default expiration
 time and automatically translates v4 principals expiring 1999-12-31
 into v5 principals with no expiration date.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

From: Robert Watson <robert@cyrus.watson.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/6000: kerberosIV kadmin -- default entry year-2000 stupid
Date: Mon, 16 Mar 1998 10:33:32 -0500 (EST)

 On Mon, 16 Mar 1998, Garrett Wollman wrote:
 
 > <<On Sat, 14 Mar 1998 02:00:46 -0500 (EST), robert@cyrus.watson.org said:
 > 
 > > Change the constant to something more reasonable, like say 2009-12-31,
 > > which is ten years later than the old default (hence my choice for
 > > accounts).  Maybe
 > 
 > Unfortunately, this will hose the Kerberos v5 upgrade procedure, which
 > knows about the long-standing (since the mid-80s) default expiration
 > time and automatically translates v4 principals expiring 1999-12-31
 > into v5 principals with no expiration date.
 
 Perhaps we need a statement from the FreeBSD core people involved as to
 whether they anticipate upgrading FreeBSD to KerberosV in the next year
 months.  Leaving it any longer would not, I think, allow people to benefit
 from the upgrade procedure you require.  Large organizations relying on a
 FreeBSD kerberos IV server would probably desire/require longer than the
 remaining ~9 months until the expiration to do the transition.
 
 This is a year-2000 bug in that apparently no one thought that KerberosIV
 would last this long :).  Since FreeBSD claims to be year-2000 compliant,
 this is certainly something one would want to fix.  It's also not clear
 that I would want to convert accounts expiring on that date to accounts
 with no expiration, also.  :)
 
 In the mean time, the default value is really not very useful.  The
 non-kth distribution appeared to default the expiry time to some other
 value -- I think either the oldest key in the database, or the key that is
 used to add the new key.  This behavior was useful, as it didn't require
 me to type an expiration again for every key.  An un-useful default is not
 really such a great thing.
 
   Robert N Watson 
 
 Carnegie Mellon University http://www.cmu.edu/
 SafePort Network Services  http://www.safeport.com/
 robert@fledge.watson.org   http://www.watson.org/~robert/
 
State-Changed-From-To: open->closed 
State-Changed-By: schweikh 
State-Changed-When: Mon Aug 20 11:18:01 PDT 2001 
State-Changed-Why:  
This appears to be a Y2K bug that expired 20 moons ago. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6000 
>Unformatted:
