Ticket #8152 gss_acquire_cred_with_password() ignores expired creds

Benjamin Kaduk kaduk at MIT.EDU
Sat Jun 20 18:01:09 EDT 2015

On Sat, 20 Jun 2015, Sorin Manolache wrote:

> Thank you for the information. However I didn't get how you intend to
> change the behaviour.
> The ticket mentions checking with Heimdal. Here's what I could
> understand from the Heimdal code:
> It traverses all caches (krb5_cc_cache_match) in order to match the
> principal.
>     if found => link the found cache to the cred
> If not found => checks if the principal of the dflt cache matches
>     if not => fetch creds from KDC, create a new unique memory cache,
> store the creds there, link the new cache to the gss_cred structure. The
> destroy_cache_on_release flag is set on the gss_cred structure.
>     if yes => link the dflt cache to the cred.
> So newly fetched creds are not stored in the default cache. They are
> stored in a new memory cache that is destroyed when the gss_cred_id_t is
> released.
> Because the newly created cache is destroyed when the gss_cred is
> released, a new invocation of gss_acquire_cred_with_password will fetch
> the credentials again from the KDC.
> One would benefit of the cache only if the principal of the default
> cache matches the principal of the gss_acquire_cred_with_password.
> Heimdal does not fetch new credentials from the KDC when the cache
> contains expired credentials.

The proposed change will result in gss_acquire_cred_with_password() never
using cached credentials, and always fetching new credentials from the
KDC.  The motivation is that the routine can be used to implement
password-checking functionality, and using cached credentials could allow
an incorrect password to be erroneously accepted.


More information about the krbdev mailing list