[30419] in Kerberos
Re: Destroy expired tickets?
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Thu Nov 6 16:47:06 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Thu, 06 Nov 2008 13:52:15 -0500
Message-ID: <m2mygcy9eo.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "KR" == Ken Raeburn <raeburn@MIT.EDU> writes:
KR> On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
>> How can I destroy expired tickets?
>>
>> They're useless at best, and in some cases they're positively
>> harmful (their presence prompts `ssh' to contact the KDC to try and
>> delegate credentials, which is a waste if the tickets are expired,
>> and is really annoying when the KDC times out because it's behind a
>> firewall).
KR> Hm, that sounds a bit broken. I could see, maybe, inferring that
KR> you want to use Kerberos and prompting to get new tickets, but
KR> trying to forward expired ones is no good...
>> But I couldn't find any command that would destroy only expired
>> tickets. Any idea what I should use? I guess I could try and
>> parse the date&time in "klist", but it'd be a pain in the rear and
>> blatantly brittle.
FWIW, the Perl Authen::Krb5 module would allow you to write such a utility
pretty easily.
KR> Running "klist -s" and testing the exit status should let you
KR> figure out if there are currently-valid tickets. I don't know if
KR> there's a way to test for "tickets exist and are not valid",
KR> though perhaps "klist >& /dev/null" (C shell syntax) succeeding
KR> and "klist -s" failing would do the job. Or you could try "klist
KR> -s" and then just run "kdestroy >& /dev/null", ignoring any errors
KR> caused by a ticket cache not existing.
KR> Ken
--
Richard Silverman
res@qoxp.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
