Skip Menu |
 

Date: Mon, 22 Aug 2011 20:45:42 -0400 (EDT)
From: Geoffrey Thomas <geofft@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: Funny klist output if you try to get credentials right when a ticket expires
CC: Alexander W Dehnert <adehnert@MIT.EDU>
Download (untitled) / with headers
text/plain 1.2KiB
If you try to get credentials for a service shortly after a ticket
expires, klist shows that you get several copies of the service ticket in
your credential cache. (None of them work.)

I run into this fairly often with a 2-hour-lifetime ccache for my root
instance, when I'm logging into servers right around when the ticket
expires. I've also heard this happens reasonably often with zephyr/zephyr.

mega-man:~ geofft$ kinit -l1m
Password for geofft@ATHENA.MIT.EDU:
[wait a little more than one minute]
mega-man:~ geofft$ ssh athena.dialup
Password:

mega-man:~ geofft$ klist
Ticket cache: FILE:/tmp/cc
Default principal: geofft@ATHENA.MIT.EDU

Valid starting Expires Service principal
08/22/11 20:40:44 08/22/11 20:41:44 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU
08/22/11 20:42:01 08/22/11 20:41:44 host/buzzword-bingo.mit.edu@ATHENA.MIT.EDU

--
Geoffrey Thomas
geofft@mit.edu
From: ghudson@mit.edu
Subject: git commit

Don't use expired TGTs in TGS-REQs

https://github.com/krb5/krb5/commit/9977eb769b9def8fbbf289f7eac3938c863fa2ef
Author: Nicolas Williams <nico@cryptonector.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9977eb769b9def8fbbf289f7eac3938c863fa2ef
Branch: master
src/lib/krb5/krb/get_creds.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Better fix for not using expired TGTs in TGS-REQs

We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is
expired, like we would if we tried the TGT against the KCD. To make
this work, separate the helpers for getting local and crossrealm
cached TGTs. For a crossrealm TGT, match against the endtime, as
there could be multiple entries. For a local TGT, find any match, but
check if it's expired. The cache_code field is no longer needed after
this change, so get rid of it.

https://github.com/krb5/krb5/commit/bcece3a8289dcce0dc0a2bf7a35ed339ee9a98ec
Author: Greg Hudson <ghudson@mit.edu>
Commit: bcece3a8289dcce0dc0a2bf7a35ed339ee9a98ec
Branch: master
src/lib/krb5/krb/get_creds.c | 144 ++++++++++++++++++++++++++---------------
1 files changed, 91 insertions(+), 53 deletions(-)