How krb5.conf is parsed (especially in respect to comments)

Harald Barth haba at kth.se
Mon Mar 26 11:29:23 CEST 2018


Is there any consenus about using comments in krb5.conf and how it
should be parsed?

I have tried to figure out what is OK according to the documentation
but not found anything about comments in the manual pages. There
is a widespread use of comments like this:

[libdefaults]
	default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms

and usage of "#" at the beginning of the line will make the parser
ignore that line and it works as a comment.

But if I write:

[libdefaults]
	renew_lifetime = 3d # this comment will break things

this will make that this line will not parse and ignored.
Probably not what a normal user expects, especially as
kinit does not even warn about it.

Ok, a "power user" may discover verify_krb5_conf and run that command:

$ verify_krb5_conf 
(...)
verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3d # this comment will break things" as time
(...)

it tells me that problem. But then on would expect that
verify_krb5_conf would have the same logic as kinit when telling me
what is good or bad but i has not. Looks at these examples:

Entry in krb5.conf
     renew_lifetime = 3d
verify_krb5_conf
     OK
kinit 
     consistent with above (does parse and get renewable for 3 days)


Entry in krb5.conf
     renew_lifetime = 3 0
verify_krb5_conf
     verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3 0" as time
kinit 
     consistent with above (does not parse and tickets are not renewable)

Entry in krb5.conf
     renew_lifetime = 3 d
verify_krb5_conf
     OK (no complaint)
kinit 
     not consistent with above (does not parse and tickets are not renewable)

Entry in krb5.conf
     renew_lifetime = 3 days
verify_krb5_conf
     OK (no complaint)
kinit 
     not consistent with above (does not parse and tickets are not renewable)


So there are several things that should be fixed to get the "least
astonoishment" on part of the user:

* Usage of comments in the file format should be documented

* Usage of # to comment rest of line would probably appreciated by most users

* kinit should warn if parts of relevant values of its options can not
  be parsed properly

* The parser of kinit and verify_krb5_conf should agree if a time
  string can be parsed or not, especially if whitespace should end
  parsing of a time or not. Even the manual page does disagee with
  itself on that matter:

     STRINGs consists of one or more non-whitespace characters.

and 5 rows below:

      time
          values can be a list of year, month, day, hour, min, second.  Example: 1 month 2 days 30 min.

Test were made with heimdal version 7.4.0

Of course it would be nice if this would not differ too much among the
kerberos impementations.

Harald.


More information about the Heimdal-discuss mailing list