Renewable service tickets

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jun 9 14:50:43 EDT 2010


On 6/9/2010 12:59 PM, ghudson at mit.edu wrote:
>   3. It is a pretty dubious assumption that the caller has any
>   interest in a renewable service ticket.  Jeff Altman pointed out
>   that the caller *could* sever the service ticket from the TGT and
>   pass it to some other process which could then renew it, but this is
>   pretty exotic behavior, and I'm confident that no one is doing so.
>   As evidence, I'll point out that krb5_get_renewed_creds() has been
>   broken for non-TGT ticket renewals for its entire lifetime up until
>   I fixed it on trunk on April 12.  If we do find a reason to support
>   this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
>   application to explicitly request renewable service tickets (and
>   provide a default value for renew_till as noted in (1)).

Network Identity Manager has logic to perform service ticket renewals
when the TGT is not present and the service ticket is renewable.
I will have to look at your fix to the trunk because I know this
functionality has worked in the past.  It certainly works with the
MSLSA: interface and with Heimdal.

Jeffrey Altman






More information about the krbdev mailing list