Renewable service tickets
jaltman at secure-endpoints.com
Wed Jun 9 14:50:43 EDT 2010
On 6/9/2010 12:59 PM, ghudson at mit.edu wrote:
> 3. It is a pretty dubious assumption that the caller has any
> interest in a renewable service ticket. Jeff Altman pointed out
> that the caller *could* sever the service ticket from the TGT and
> pass it to some other process which could then renew it, but this is
> pretty exotic behavior, and I'm confident that no one is doing so.
> As evidence, I'll point out that krb5_get_renewed_creds() has been
> broken for non-TGT ticket renewals for its entire lifetime up until
> I fixed it on trunk on April 12. If we do find a reason to support
> this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
> application to explicitly request renewable service tickets (and
> provide a default value for renew_till as noted in (1)).
Network Identity Manager has logic to perform service ticket renewals
when the TGT is not present and the service ticket is renewable.
I will have to look at your fix to the trunk because I know this
functionality has worked in the past. It certainly works with the
MSLSA: interface and with Heimdal.
More information about the krbdev