gssapi and an expired TGT in cache

[Sorin Manolache]

On 2015-03-04 17:21, Greg Hudson wrote:
> On 03/04/2015 10:42 AM, Sorin Manolache wrote:
>> Unfortunately it seems that krb5_cc_remove_cred is not implemented for
>> the memory cache type either.
>
> Yes, but if you use a memory ccache, you won't be sharing with other
> processes, so there will never be pre-existing creds there.
>

That is true. However my application is a http server module with an 
indefinite running time (similar to 
http://css.csail.mit.edu/6.858/2014/projects/kanter-bcyphers-bfaviero-jpeebles.pdf) 
so the credentials will eventually expire.

As the server is multi-threaded the krb5_cc_destroy alternative doesn't 
work either: all gss_acquire_cred/krb5 calls should be then protected by 
a mutex in order to avoid a race condition with krb5_cc_destroy. As my 
module does almost exclusively gssapi/krb5 calls the whole application 
becomes almost mono-threaded.

So I see the following alternatives:

1) patch gss_acquire_cred_with_password such that it detects that the 
TGT stored in the cache is expired, makes a KDC request, and replaces 
the expired TGT in the cache with the newly created TGT.

2) implement krb5_mcc_remove_cred. Is there any particular reason why it 
was left unimplemented?

3) switch to the heimdal implementation. However heimdal uses the cache 
only if the desired name passed to gss_acquire_cred is the default 
principal of the cache so it's not really what I want either.

I would try the 2nd. If I succeed I'll submit the patch. If I fail, I'll 
go with the 3rd one.

Best regards,
Sorin