From rt-comment at krbdev.mit.edu  Mon Jul  1 20:20:47 2024
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 01 Jul 2024 20:20:47 -0400
Subject: [krbdev.mit.edu #9131] git commit
References: <RT-Ticket-9131@mit.edu>
Message-ID: <rt-4.4.3-2-814301-1719879647-239.9131-4-0@mit.edu>


Mon Jul 01 20:20:47 2024: Request 9131 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9131 >



Adjust removed cred detection in FILE ccache

In the FILE ccache, consider a cred to be removed if it has endtime 0
and authtime non-zero, instead of specifically authtime -1.  This
change will let us filter out normal credentials deleted by Heimdal,
although not synthetic credentials such as config entries.

https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Author: Greg Hudson <ghudson at mit.edu>
Commit: 4c0838bb4c232866b95c9f2f72a55bf77cfc1308
Branch: master
 src/lib/krb5/ccache/cc_file.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)


From rt-comment at krbdev.mit.edu  Mon Jul  1 21:29:53 2024
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 01 Jul 2024 21:29:53 -0400
Subject: [krbdev.mit.edu #9132] git commit
References: <RT-Ticket-9132@mit.edu>
Message-ID: <rt-4.4.3-2-821844-1719883793-1293.9132-4-0@mit.edu>


Mon Jul 01 21:29:53 2024: Request 9132 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9132 >



Change krb5_get_credentials() endtime behavior

Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion.  These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.

Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.

https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson at mit.edu>
Commit: e68890329f8ab766f9b746351b5c7d2d18d8dd48
Branch: master
 src/include/krb5/krb5.hin    |  8 ++++----
 src/lib/krb5/krb/get_creds.c | 13 +++++--------
 2 files changed, 9 insertions(+), 12 deletions(-)