[krbdev.mit.edu #2106] bug in krb5_cc_remove_cred API?
gsu@UU.NET via RT
rt-comment at krbdev.mit.edu
Wed Jan 7 11:11:42 EST 2004
On Tue, 6 Jan 2004, Sam Hartman via RT wrote:
> >>>>> "gsu at UU" == gsu at UU NET via RT <rt-comment at krbdev.mit.edu> writes:
> gsu at UU> I noticed that if there are more than one credentials for
> gsu at UU> the same server, krb5_get_credentials returns the first
> gsu at UU> one found which may be expired. I have to use
> gsu at UU> krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option to
> gsu at UU> get the good credential and send to the server for
> gsu at UU> authentication. Since I have to keep getting new service
> gsu at UU> ticket, I thought it would be nice if I can remove all old
> gsu at UU> ones.
>
> The logic used by krb5_mk_req in 1.3.x should correctly use only
> unexpired credentials. Previous versions of Kerberos did not tend to
> do this correctly.
>
>
Is this new logic in release after 1.3.1?
I am looking at the 1.3.1 source tree. Suppose I have 2 service tickets,
the first one is expired.
krb5_mk_req calls krb5_get_credentials which returns the expired ticket.
krb5_mk_req calls krb5_mk_req_extended with this expired credential.
krb5_mk_req_extended calls krb5_validate_times.
krb5_validate_times returns KRB5KRB_AP_ERR_TKT_EXPIRED.
krb5_mk_req returns KRB5KRB_AP_ERR_TKT_EXPIRED to the caller.
So instead of calling krb5_mk_req, I call krb5_cc_retrieve_cred, then
call krb5_mk_req_extended with the valid credential.
More information about the krb5-bugs
mailing list