Ticket lifetimes > 10 hrs?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Nov 15 12:19:06 EST 2002
>> - The MIT client side library wont get you a new service ticket if you
>> have one already cached, even if it's expired.
>
>Is this just a matter of someone leaving out a KRB5_TC_MATCH_TIMES flag
>somewhere?
TC_MATCH_TIMES is already set in my reading of the code, and it's been
in there for a while. But you have to fill in endtime in the source
credentials, and I guess in most of the cases the application code
doesn't. All the code I've ever seen just memset(0,...)s out the whole
creds structure that it passes in, and just fills in things like client
and server principal.
Okay, that's not correct ... it looks like GSS-API might do the right
thing ... if you pass in a value for time_req in gss_init_sec_context()
that's not GSS_C_INDEFINITE or zero. Does anyone do that? I see that
ftp and SASL both pass in a zero for time_req.
--Ken
More information about the Kerberos
mailing list