Subject: | Client keytab does not refresh tickets in gss_init_sec_context() |
The GSS krb5 client keytab facility has logic to refresh a ticket
cache after it is halfway to expired. This logic only applies at
gss_acquire_cred() time, not at gss_init_sec_context() time.
Therefore, if an application acquires a credential and uses it for
gss_init_sec_context() calls across a long period of time, the
credential will eventually expire and we will not refresh it.
A workaround is for the application to pass GSS_C_NO_CREDENTIAL to
gss_init_sec_context() (so that a default credential is implicitly
acquired each time), or acquire a credential each time.
Whether this is a bug is arguable. In the GSSAPI model, an
application isn't supposed to expect a credential to last forever, and
in fact there are facilities to query the credential lifetime. But in
our mechanism, there is also no guarantee that the lifetime remains
constant (as another application could refresh the ccache), so there
is no real reason why we shouldn't do better.
(This issue is related to but separate from #7976, where the refresh
logic does not apply if the credential cache was manually populated.)
cache after it is halfway to expired. This logic only applies at
gss_acquire_cred() time, not at gss_init_sec_context() time.
Therefore, if an application acquires a credential and uses it for
gss_init_sec_context() calls across a long period of time, the
credential will eventually expire and we will not refresh it.
A workaround is for the application to pass GSS_C_NO_CREDENTIAL to
gss_init_sec_context() (so that a default credential is implicitly
acquired each time), or acquire a credential each time.
Whether this is a bug is arguable. In the GSSAPI model, an
application isn't supposed to expect a credential to last forever, and
in fact there are facilities to query the credential lifetime. But in
our mechanism, there is also no guarantee that the lifetime remains
constant (as another application could refresh the ccache), so there
is no real reason why we shouldn't do better.
(This issue is related to but separate from #7976, where the refresh
logic does not apply if the credential cache was manually populated.)