Ticket #8152 gss_acquire_cred_with_password() ignores expired creds

Greg Hudson ghudson at mit.edu
Sun Jun 21 01:55:36 EDT 2015

On 06/20/2015 01:38 PM, Sorin Manolache wrote:
> Thank you for the information. However I didn't get how you intend to
> change the behaviour.

Sorry if the ticket wasn't clear.  As Ben explained, credentials will be
fetched into a unique memory ccache.  The idea is that if you want to
interact with the shared cache, you can use gss_acquire_cred()
beforehand and gss_store_cred() afterwards.  This new behavior matches
the original behavior of the function when it was introduced in Solaris;
I misguidedly changed it when we first introduced the function into MIT

> The ticket mentions checking with Heimdal. Here's what I could
> understand from the Heimdal code:

Heimdal is also changing its behavior:


More information about the krbdev mailing list