[krbdev.mit.edu #8152] gss_acquire_cred_with_password() ignores expired creds
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Mar 3 12:16:01 EST 2015
When Luke originally implemented gss_acquire_cred_with_password(), he
had it use a memory ccache and not cache the resulting ticket. I
didn't like the performance implications of that and changed it to
use the default cache. I also made it not get tickets if the default
cache already contains creds. This has some unfortunate
implications.
At a minimum, gss_acquire_cred_with_password() needs to get new creds
if the current cache's creds are expired or close to expiring
(perhaps "more than halfway").
Another option is for gss_acquire_cred_with_password() to always get
new creds, and document that applications should first call
gss_acquire_cred() with just the name to see if there is a suitable
cred present.
It may be worth checking on Heimdal's behavior to make sure that we
aren't gratuitously divergent.
More information about the krb5-bugs
mailing list