# This patch fixes a small bug in the handling of credentials lifetime in case a # Kerberos ticket would have an indefinite lifetime and secondly adds a sysctl so # we can force a lower lifetime for the GSS credentials cache entries (defaults to # the same as the Kerberos ticket - typically 10 hours) so group changes for users # will propagate faster (if set to a lower value. 0 = no cap). # # Author: Peter Eriksson , 2019-11-21 --- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c.ORIG 2019-11-20 16:30:21.723539000 +0100 +++ sys/rpc/rpcsec_gss/svc_rpcsec_gss.c 2019-11-21 08:18:39.656478000 +0100 @@ -172,10 +172,15 @@ #define CLIENT_HASH_SIZE 256 #define CLIENT_MAX 128 u_int svc_rpc_gss_client_max = CLIENT_MAX; +u_int svc_rpc_gss_lifetime_max = 0; SYSCTL_NODE(_kern, OID_AUTO, rpc, CTLFLAG_RW, 0, "RPC"); SYSCTL_NODE(_kern_rpc, OID_AUTO, gss, CTLFLAG_RW, 0, "GSS"); +SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, lifetime_max, CTLFLAG_RW, + &svc_rpc_gss_lifetime_max, 0, + "Max lifetime (seconds) of rpc-gss clients"); + SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_max, CTLFLAG_RW, &svc_rpc_gss_client_max, 0, "Max number of rpc-gss clients"); @@ -950,8 +955,14 @@ * that out). */ if (cred_lifetime == GSS_C_INDEFINITE) - cred_lifetime = time_uptime + 24*60*60; + cred_lifetime = 24*60*60; + /* + * Cap cred_lifetime if sysctl kern.rpc.gss.lifetime_max is set + */ + if (svc_rpc_gss_lifetime_max && cred_lifetime > svc_rpc_gss_lifetime_max) + cred_lifetime = svc_rpc_gss_lifetime_max; + client->cl_expiration = time_uptime + cred_lifetime; /*