Destroy expired tickets?

Simon Wilkinson simon at sxw.org.uk
Thu Nov 6 19:13:42 EST 2008


On 6 Nov 2008, at 15:05, Ken Raeburn wrote:

> On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
>> How can I destroy expired tickets?
>>
>> They're useless at best, and in some cases they're positively harmful
>> (their presence prompts `ssh' to contact the KDC to try and delegate
>> credentials, which is a waste if the tickets are expired, and is
>> really
>> annoying when the KDC times out because it's behind a firewall).
>
> Hm, that sounds a bit broken.  I could see, maybe, inferring that you
> want to use Kerberos and prompting to get new tickets, but trying to
> forward expired ones is no good...

I'm not sure which version of ssh is being referred to here, however  
I can comment on what OpenSSH does (I suspect SunSSH has similar  
behaviour)

OpenSSH with my patches calls gss_init_sec_context() for each  
supported mechanism to determine whether it should try key exchange  
for that mechanism (that's because if we pick a key exchange  
mechanism that fails for any reason, we've got not choice but to fail  
the connection).

Depending on your Kerberos library, the presence (or absence) of a  
credentials cache may affect whether the call to gss_init_sec_context 
() causes the KDC to be contacted. It won't have any effect on  
delegation.

S.




More information about the Kerberos mailing list