[1026] in Kerberos
Replacing expired tickets
daemon@ATHENA.MIT.EDU (usenet news poster)
Mon Jun 18 02:19:13 1990
Date: 17 Jun 90 17:41:06 GMT
From: usc!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!haven!ncifcrf!lhc!nlm-mcs!usenet@rutgers.edu (usenet news poster)
To: kerberos@ATHENA.MIT.EDU
One of the headaches I've encountered using Project Athena's Kerberos V4
software is that when just one ticket expires, I must re-run kinit,
which destroys all existing tickets--even those that have not expired.
It appears to me that some small modifications (perhaps no more than 50
lines of code) to the Kerberos library would enable applications that
use krb_sendauth to be more robust in the face of expired service
tickets, and would result in a more efficient system, too. For
example, should not tf_save_cred REPLACE expired tickets in the ticket
file instead of appending new tickets to the ticket file? krb_get_cred
will never see a valid ticket if an expired ticket preceeds it in the
file. And why doesn't krb_sendauth compare the expiration time of a
ticket with the current time before blindly attempting to use it; if
the ticket has expired, shouldn't krb_sendauth obtain a new ticket?
Are these "features" of Kerberos V4 to remain in the Athena code for V5???
Warren Gish
National Library of Medicine
gish@ncbi.nlm.nih.gov
