[30417] in Kerberos
Re: Destroy expired tickets?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Thu Nov 6 10:07:04 2008
From: Ken Raeburn <raeburn@MIT.EDU>
To: Stefan Monnier <monnier@iro.umontreal.ca>
In-Reply-To: <jwvmygdsiwn.fsf-monnier+gmane.comp.encryption.kerberos.general@gnu.org>
Message-Id: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Thu, 6 Nov 2008 10:05:31 -0500
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
> How can I destroy expired tickets?
>
> They're useless at best, and in some cases they're positively harmful
> (their presence prompts `ssh' to contact the KDC to try and delegate
> credentials, which is a waste if the tickets are expired, and is
> really
> annoying when the KDC times out because it's behind a firewall).
Hm, that sounds a bit broken. I could see, maybe, inferring that you
want to use Kerberos and prompting to get new tickets, but trying to
forward expired ones is no good...
> But I couldn't find any command that would destroy only expired
> tickets.
> Any idea what I should use? I guess I could try and parse the
> date&time
> in "klist", but it'd be a pain in the rear and blatantly brittle.
Running "klist -s" and testing the exit status should let you figure
out if there are currently-valid tickets. I don't know if there's a
way to test for "tickets exist and are not valid", though perhaps
"klist >& /dev/null" (C shell syntax) succeeding and "klist -s"
failing would do the job. Or you could try "klist -s" and then just
run "kdestroy >& /dev/null", ignoring any errors caused by a ticket
cache not existing.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
