Return-Path: Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by krbdev.mit.edu (Postfix) with ESMTPS id B00213FBA2 for ; Thu, 19 Mar 2015 17:32:21 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id CC42B2066A for ; Thu, 19 Mar 2015 17:30:53 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cqmdsoWF5GQO for ; Thu, 19 Mar 2015 17:30:53 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for ; Thu, 19 Mar 2015 17:30:53 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 87C7888992; Thu, 19 Mar 2015 17:32:20 -0400 (EDT) From: Sam Hartman To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #8152] gss_acquire_cred_with_password() ignores expired creds References: Date: Thu, 19 Mar 2015 17:32:20 -0400 In-Reply-To: (Greg Hudson via's message of "Thu, 19 Mar 2015 17:21:37 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain RT-Send-Cc: X-RT-Original-Encoding: iso-8859-1 Content-Length: 446 >>>>> "Greg" == Greg Hudson via RT writes: Greg> If you don't carefully manage your KRB5CCNAME, there is the Greg> potential that gss_acquire_cred_with_password() might succeed Greg> without making an AS request, and the creds you have might Greg> verify correctly even though the password was never used. Was this true when it generated a memory ccache? Is that the behavior you want to go back to?