kerberos ticket cache
Simo Sorce
simo at redhat.com
Fri Jul 10 10:06:12 EDT 2015
On Fri, 2015-07-10 at 09:52 -0400, Tom Yu wrote:
> Andrew Levin <amlevin at mit.edu> writes:
>
> > I have noticed that even after I delete my kerberos ticket cache, as below, I remain authenticated (eg I can open files in an area where kerberos authentication is required). How is this possible?
> >
> > [anlevin at lxplus0055 ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_13535_4nn0mf
> > Default principal: anlevin at CERN.CH
> >
> > Valid starting Expires Service principal
> > 07/10/15 09:54:58 07/11/15 10:54:58 krbtgt/CERN.CH at CERN.CH
> > renew until 07/15/15 09:54:58
> > 07/10/15 09:54:59 07/11/15 10:54:58 afs/cern.ch at CERN.CH
> > renew until 07/15/15 09:54:58
> > [anlevin at lxplus0055 ~]$ rm /tmp/krb5cc_13535_4nn0mf
>
> You didn't mention which sort of remote filesystem you're concerned
> with, but based on your klist output, you might be using AFS. The AFS
> client maintains a separate cache of AFS tokens, derived from the
> afs/cellname Kerberos ticket. You can typically use the "unlog" command
> to destroy those AFS tokens.
>
> Also, we generally recommend that people use kdestroy to destroy
> Kerberos tickets.
The same is for Kerberized NFS in Linux, the session keys are stored in
the kernel and there is currently no way to revoke them, however once
the session is destroyed the kernel will not be able to recreate it.
Simo,
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list