[37148] in Kerberos
Re: kerberos ticket cache
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jul 10 09:52:34 2015
From: Tom Yu <tlyu@mit.edu>
To: Andrew Levin <amlevin@mit.edu>
Date: Fri, 10 Jul 2015 09:52:20 -0400
In-Reply-To: <EE01C89A84021A42A2D65A1C683626F9848BAFBF@OC11expo28.exchange.mit.edu>
(Andrew Levin's message of "Fri, 10 Jul 2015 08:37:48 +0000")
Message-ID: <ldv7fq8yvaj.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Andrew Levin <amlevin@mit.edu> writes:
> I have noticed that even after I delete my kerberos ticket cache, as below, I remain authenticated (eg I can open files in an area where kerberos authentication is required). How is this possible?
>
> [anlevin@lxplus0055 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_13535_4nn0mf
> Default principal: anlevin@CERN.CH
>
> Valid starting Expires Service principal
> 07/10/15 09:54:58 07/11/15 10:54:58 krbtgt/CERN.CH@CERN.CH
> renew until 07/15/15 09:54:58
> 07/10/15 09:54:59 07/11/15 10:54:58 afs/cern.ch@CERN.CH
> renew until 07/15/15 09:54:58
> [anlevin@lxplus0055 ~]$ rm /tmp/krb5cc_13535_4nn0mf
You didn't mention which sort of remote filesystem you're concerned
with, but based on your klist output, you might be using AFS. The AFS
client maintains a separate cache of AFS tokens, derived from the
afs/cellname Kerberos ticket. You can typically use the "unlog" command
to destroy those AFS tokens.
Also, we generally recommend that people use kdestroy to destroy
Kerberos tickets.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos