Ticket #8152 gss_acquire_cred_with_password() ignores expired creds
sorinm at gmail.com
Sat Jun 20 13:38:40 EDT 2015
On 2015-06-19 23:35, Greg Hudson wrote:
> On 06/18/2015 12:13 PM, Sorin Manolache wrote:
>> I think I've found a memory leak in gss_add_cred_with_password, in krb5
>> 1.12.1 and 1.13.1.
>> The gss_OID_set target_mechs in gss_add_cred_with_password
>> (lib/gssapi/mechglue/g_acquire_cred_with_pw.c) is not released if the
>> function returns GSS_S_COMPLETE.
> Thanks; I have filed a pull request. This should be fixed in 1.13.3 and
> probably also a 1.12.x patch release.
> Be aware that we are planning to change the behavior of
> gss_acquire_cred_with_password in 1.14 as discussed here:
Thank you for the information. However I didn't get how you intend to
change the behaviour.
The ticket mentions checking with Heimdal. Here's what I could
understand from the Heimdal code:
It traverses all caches (krb5_cc_cache_match) in order to match the
if found => link the found cache to the cred
If not found => checks if the principal of the dflt cache matches
if not => fetch creds from KDC, create a new unique memory cache,
store the creds there, link the new cache to the gss_cred structure. The
destroy_cache_on_release flag is set on the gss_cred structure.
if yes => link the dflt cache to the cred.
So newly fetched creds are not stored in the default cache. They are
stored in a new memory cache that is destroyed when the gss_cred_id_t is
Because the newly created cache is destroyed when the gss_cred is
released, a new invocation of gss_acquire_cred_with_password will fetch
the credentials again from the KDC.
One would benefit of the cache only if the principal of the default
cache matches the principal of the gss_acquire_cred_with_password.
Heimdal does not fetch new credentials from the KDC when the cache
contains expired credentials.
More information about the krbdev