On credential cache separation between service ticket and TGT
Greg Hudson
ghudson at MIT.EDU
Tue Mar 25 14:02:59 EDT 2014
On 03/25/2014 12:37 PM, Arpit Srivastava wrote:
[...]
> - gss_init_sec_context called again and a new service ticket acquired.
>
> Now here, the krb5cc cache would keep on accumulating service tickets of
> same name but different validity time stamps.
> Isn't that superfluous ?
The default ccache format (FILE) is basically append-only, so there is
no way to reclaim the space used by old tickets. We could prevent them
from being displayed by klist (as I believe Heimdal does), but that
wouldn't change the performance characteristics.
We have medium-term plans to implement a daemon-backed ccache type like
Heimdal has, which could more easily support removing old service
tickets when getting new ones.
> - Is there any way to renew service tickets the way TGT is renewed
> (atleast till the validity of TGT) using GSS/Krb APIs.
Per RFC 4120, service tickets can be renewed just like TGTs, by
presenting them to the KDC and asking for a new ticket. However:
* Heimdal doesn't implement renewing non-TGTs (by my reading of the
code), and I'm not sure whether Active Directory implements it.
* Whether or not they are TGTs, tickets can only be renewed while they
are still valid. So if you got a 20-minute service ticket, used it
once, then didn't use it again until it was expired, you wouldn't be
able to renew it.
More information about the Kerberos
mailing list