[30422] in Kerberos
Re: Destroy expired tickets?
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Fri Nov 7 07:31:31 2008
In-Reply-To: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <17494883-FF74-467A-9FB2-46C26764FDA4@sxw.org.uk>
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Fri, 7 Nov 2008 00:13:42 +0000
To: Ken Raeburn <raeburn@mit.edu>
Cc: Stefan Monnier <monnier@iro.umontreal.ca>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 6 Nov 2008, at 15:05, Ken Raeburn wrote:
> On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
>> How can I destroy expired tickets?
>>
>> They're useless at best, and in some cases they're positively harmful
>> (their presence prompts `ssh' to contact the KDC to try and delegate
>> credentials, which is a waste if the tickets are expired, and is
>> really
>> annoying when the KDC times out because it's behind a firewall).
>
> Hm, that sounds a bit broken. I could see, maybe, inferring that you
> want to use Kerberos and prompting to get new tickets, but trying to
> forward expired ones is no good...
I'm not sure which version of ssh is being referred to here, however
I can comment on what OpenSSH does (I suspect SunSSH has similar
behaviour)
OpenSSH with my patches calls gss_init_sec_context() for each
supported mechanism to determine whether it should try key exchange
for that mechanism (that's because if we pick a key exchange
mechanism that fails for any reason, we've got not choice but to fail
the connection).
Depending on your Kerberos library, the presence (or absence) of a
credentials cache may affect whether the call to gss_init_sec_context
() causes the KDC to be contacted. It won't have any effect on
delegation.
S.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
