kdc: Add param to derive max_life from client cert

This adds a KDC configuration parameter that can be used to indicate that a PKINIT client's certificate's notAfter overrides the client principal's HDB entry's max_life. This parameter is a relative time parameter, and it enables this only if set to a non-zero value (defaults to zero). The value of this parameter caps the max_life inferred from the certificate.
2021-03-23 12:07:41 -05:00
parent dfdc6c3a06
commit 8e7c7209e8
7 changed files with 82 additions and 2 deletions
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -840,6 +840,20 @@ Defaults to
 .It Li pkinit_dh_min_bits = Va NUMBER
 Minimum acceptable modular Diffie-Hellman public key size in
 bits.
+.It Li pkinit_ticket_max_life_from_cert = Va TIME
+If set, this will override the
+.Va max_life
+attribute of the client principal's HDB record with the
+.Va notAfter
+of the client's certificate minus the current time, bounded to
+the given relative
+.Va TIME .
+As usual,
+.Va TIME
+can be given as a number followed by a unit, such as
+.Dq 2d
+for
+.Dq two days .
 .It Li historical_anon_realm = Va boolean
 Enables pre-7.0 non-RFC-comformant KDC behavior.
 With this option set to