Destroy expired tickets?
Richard E. Silverman
res at qoxp.net
Thu Nov 6 13:52:15 EST 2008
>>>>> "KR" == Ken Raeburn <raeburn at MIT.EDU> writes:
KR> On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
>> How can I destroy expired tickets?
>>
>> They're useless at best, and in some cases they're positively
>> harmful (their presence prompts `ssh' to contact the KDC to try and
>> delegate credentials, which is a waste if the tickets are expired,
>> and is really annoying when the KDC times out because it's behind a
>> firewall).
KR> Hm, that sounds a bit broken. I could see, maybe, inferring that
KR> you want to use Kerberos and prompting to get new tickets, but
KR> trying to forward expired ones is no good...
>> But I couldn't find any command that would destroy only expired
>> tickets. Any idea what I should use? I guess I could try and
>> parse the date&time in "klist", but it'd be a pain in the rear and
>> blatantly brittle.
FWIW, the Perl Authen::Krb5 module would allow you to write such a utility
pretty easily.
KR> Running "klist -s" and testing the exit status should let you
KR> figure out if there are currently-valid tickets. I don't know if
KR> there's a way to test for "tickets exist and are not valid",
KR> though perhaps "klist >& /dev/null" (C shell syntax) succeeding
KR> and "klist -s" failing would do the job. Or you could try "klist
KR> -s" and then just run "kdestroy >& /dev/null", ignoring any errors
KR> caused by a ticket cache not existing.
KR> Ken
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list