[3405] in Kerberos
Re: Flushing old service tickets
daemon@ATHENA.MIT.EDU (John Hascall)
Wed Jun 15 09:32:36 1994
To: kerberos@MIT.EDU
Date: 15 Jun 1994 12:55:41 GMT
From: john@iastate.edu (John Hascall)
Bill Parod <bill-parod@nwu.edu> wrote:
}I don't know if this is the preferred way, but I do the following to check
}the existance and validity of cached tickets. I too would be interested in
}any Kerberos programming books. This is pulled more or less from
}get_admin_password() in kadmin.c.
}
} if ((krb_get_cred((char *)service, (char *)sinstance, krbrlm, &c)
}== KSUCCESS) &&
} (time(0) < (c.issue_date + (5 * 60 * c.lifetime) - FUDGE_VALUE)))
} return(have_credentials = YES);
} else
} krb_get_in_tkt(...)
Here's a trimmed down (all the "com_err" stuff is omitted for
clarity) copy of a similar routine I use to make sure a
server has valid tickets:
/*
* get_kerberos_tickets() is called whenever you need to get (new)
* tickets; generally once right after set_kerberos_info() and
* then before every operation which might need a ticket.
*/
int get_kerberos_tickets()
{
int status;
time_t now;
/*
* If tickets are still good, then exit right away
* Add a little fudge because caller wants tickets to last
* through some unspecified operation.
*/
now = time(NULL);
if (tickets_expire > (now + FUDGE)) return (0);
/*
* Get rid of old tickets
*/
(void)dest_tkt();
/*
* Get new "Ticket granting ticket" (other tickets gotten as needed)
*/
if ((status = krb_get_svc_in_tkt(service, instance, realm,
TGTNAME, realm, lifetime, NULL)) != KSUCCESS) {
tickets_expire = 0;
/* ... error handling ... */
return (-1);
}
tickets_expire = krb_life_to_time(now, lifetime);
return (0);
}
Note the use of krb_time_to_life() -- this is from the CMU patch to
provide extended life tickets (upto 30 days). If you are not using
it you can simply write that function as:
int krb_time_to_life(start, life)
int start;
int life;
{
return (start + (life * 5 * 60));
}
Using that (instead of hard coding (life * 5 * 60) everywhere will
make your life better when you do want 30day tickets [your users
will tell you when this is :]
also:
int krb_life_to_time(start, end)
int start;
int end;
{
int life;
life = end - start;
if (life < 0) return (0);
return ((life + 5*60 - 1) / (5*60));
}
--
John Hascall ``An ill-chosen word is the fool's messenger.''
Systems Software Engineer
Project Vincent
Iowa State University Computation Center + Ames, IA 50011 + 515/294-9551
