[krbdev.mit.edu #2106] bug in krb5_cc_remove_cred API?

gsu@UU.NET via RT rt-comment at krbdev.mit.edu
Wed Jan 7 11:11:42 EST 2004




On Tue, 6 Jan 2004, Sam Hartman via RT wrote:

> >>>>> "gsu at UU" == gsu at UU NET via RT <rt-comment at krbdev.mit.edu> writes:
>     gsu at UU> I noticed that if there are more than one credentials for
>     gsu at UU> the same server, krb5_get_credentials returns the first
>     gsu at UU> one found which may be expired.  I have to use
>     gsu at UU> krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option to
>     gsu at UU> get the good credential and send to the server for
>     gsu at UU> authentication.  Since I have to keep getting new service
>     gsu at UU> ticket, I thought it would be nice if I can remove all old
>     gsu at UU> ones.
>
> The logic used by krb5_mk_req in 1.3.x should correctly use only
> unexpired credentials.  Previous versions of Kerberos did not tend to
> do this correctly.
>
>

Is this new logic in release after 1.3.1?

I am looking at the 1.3.1 source tree.  Suppose I have 2 service tickets,
the first one is expired.
krb5_mk_req calls krb5_get_credentials which returns the expired ticket.
krb5_mk_req calls krb5_mk_req_extended with this expired credential.
krb5_mk_req_extended calls krb5_validate_times.
krb5_validate_times returns KRB5KRB_AP_ERR_TKT_EXPIRED.
krb5_mk_req returns KRB5KRB_AP_ERR_TKT_EXPIRED to the caller.

So instead of calling krb5_mk_req, I call krb5_cc_retrieve_cred, then
call krb5_mk_req_extended with the valid credential.


More information about the krb5-bugs mailing list