gssapi and an expired TGT in cache
sorinm at gmail.com
Wed Mar 4 15:44:05 EST 2015
On 2015-03-04 17:21, Greg Hudson wrote:
> On 03/04/2015 10:42 AM, Sorin Manolache wrote:
>> Unfortunately it seems that krb5_cc_remove_cred is not implemented for
>> the memory cache type either.
> Yes, but if you use a memory ccache, you won't be sharing with other
> processes, so there will never be pre-existing creds there.
That is true. However my application is a http server module with an
indefinite running time (similar to
so the credentials will eventually expire.
As the server is multi-threaded the krb5_cc_destroy alternative doesn't
work either: all gss_acquire_cred/krb5 calls should be then protected by
a mutex in order to avoid a race condition with krb5_cc_destroy. As my
module does almost exclusively gssapi/krb5 calls the whole application
becomes almost mono-threaded.
So I see the following alternatives:
1) patch gss_acquire_cred_with_password such that it detects that the
TGT stored in the cache is expired, makes a KDC request, and replaces
the expired TGT in the cache with the newly created TGT.
2) implement krb5_mcc_remove_cred. Is there any particular reason why it
was left unimplemented?
3) switch to the heimdal implementation. However heimdal uses the cache
only if the desired name passed to gss_acquire_cred is the default
principal of the cache so it's not really what I want either.
I would try the 2nd. If I succeed I'll submit the patch. If I fail, I'll
go with the 3rd one.
More information about the krbdev