[37497] in Kerberos
Re: Re-authentication vs Renewal of credentials by a service and the
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 12 11:02:42 2016
To: Todd Grayson <tgrayson@cloudera.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <57349B00.8000802@mit.edu>
Date: Thu, 12 May 2016 11:02:24 -0400
MIME-Version: 1.0
In-Reply-To: <CALNT6MU=T907q18a8O7J8Wi1uuZJC5zYSSJi8vBuPhzg4KxKRA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/12/2016 09:48 AM, Todd Grayson wrote:
> When a service re-authenticates to the KDC, effectively getting a new TGT,
> are the service tickets related to previous instance of the TGT for that
> service, no longer valid?
No and yes. From a protocol perspective, service tickets remain valid
until they expire, regardless of what TGTs have been obtained since they
were issued.
>From an implementation perspective (at least in MIT krb5 and Heimdal),
tickets are usually stored in a credential cache. If the TGT is
replaced or renewed, the credential cache is restarted from scratch,
discarding any pre-existing service tickets. There is no difference
between re-authentication and renewal in this respect.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
