From: | ghudson@mit.edu |
Subject: | git commit |
Change krb5_get_credentials() endtime behavior
Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion. These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.
Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.
https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson@mit.edu>
Commit: e68890329f8ab766f9b746351b5c7d2d18d8dd48
Branch: master
src/include/krb5/krb5.hin | 8 ++++----
src/lib/krb5/krb/get_creds.c | 13 +++++--------
2 files changed, 9 insertions(+), 12 deletions(-)