[krbdev.mit.edu #9132] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Jul 1 21:29:53 EDT 2024
Mon Jul 01 21:29:53 2024: Request 9132 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9132 >
Change krb5_get_credentials() endtime behavior
Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion. These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.
Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.
https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson at mit.edu>
Commit: e68890329f8ab766f9b746351b5c7d2d18d8dd48
Branch: master
src/include/krb5/krb5.hin | 8 ++++----
src/lib/krb5/krb/get_creds.c | 13 +++++--------
2 files changed, 9 insertions(+), 12 deletions(-)
More information about the krb5-bugs
mailing list