krb5 commit: Improve klist check for expired cache

Greg Hudson ghudson at mit.edu
Mon Oct 13 00:22:42 EDT 2014 

https://github.com/krb5/krb5/commit/922f627b28f480eafc240fb4706cacf6aa7f4c14
commit 922f627b28f480eafc240fb4706cacf6aa7f4c14
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat Oct 4 20:39:14 2014 -0400

    Improve klist check for expired cache
    
    Make klist -s succeed for a cache which contains a non-expired
    credential and no TGT cred.
    
    ticket: 8022

 src/clients/klist/klist.c |   21 ++++++++++++++++-----
 1 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 15981bf..a10451d 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -542,7 +542,7 @@ check_ccache(krb5_ccache cache)
     krb5_cc_cursor cur;
     krb5_creds creds;
     krb5_principal princ;
-    int exit_status = 1;
+    krb5_boolean found_tgt, found_current_tgt, found_current_cred;
 
     if (krb5_cc_set_flags(kcontext, cache, 0) != 0)
         return 1;
@@ -550,10 +550,16 @@ check_ccache(krb5_ccache cache)
         return 1;
     if (krb5_cc_start_seq_get(kcontext, cache, &cur) != 0)
         return 1;
+    found_tgt = found_current_tgt = found_current_cred = FALSE;
     while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
-        if (is_local_tgt(creds.server, &princ->realm) &&
-            creds.times.endtime > now)
-            exit_status = 0;
+        if (is_local_tgt(creds.server, &princ->realm)) {
+            found_tgt = TRUE;
+            if (creds.times.endtime > now)
+                found_current_tgt = TRUE;
+        } else if (!krb5_is_config_principal(kcontext, creds.server) &&
+                   creds.times.endtime > now) {
+            found_current_cred = TRUE;
+        }
         krb5_free_cred_contents(kcontext, &creds);
     }
     krb5_free_principal(kcontext, princ);
@@ -563,7 +569,12 @@ check_ccache(krb5_ccache cache)
         return 1;
     if (krb5_cc_set_flags(kcontext, cache, KRB5_TC_OPENCLOSE) != 0)
         return 1;
-    return exit_status;
+
+    /* If the cache contains at least one local TGT, require that it be
+     * current.  Otherwise accept any current cred. */
+    if (found_tgt)
+        return found_current_tgt ? 0 : 1;
+    return found_current_cred ? 0 : 1;
 }
 
 /* Return true if princ is the local krbtgt principal for local_realm. */

More information about the cvs-krb5 mailing list