[3430] in Kerberos
Re: Flushing old service tickets
daemon@ATHENA.MIT.EDU (Andrew KUCHLING)
Thu Jun 16 21:43:21 1994
To: kerberos@MIT.EDU
Date: 16 Jun 1994 20:33:48 GMT
From: fnord@cs.mcgill.ca (Andrew KUCHLING)
My thanks to everyone who suggested a solution to the problem of
expired tickets in the cache using V4. I finally adopted the
following solution, which appears to work fine at the level of a small
test program; it'll take me a day or two to get back to the actual
project that sparked the question.
In case anyone else is interested in the answer, example source code is
appended to this posting.
Once again, thanks to everyone for your help!
Andrew Kuchling
fnord@binkley.cs.mcgill.ca
/*
* I didn't want to use krb_get_in_pw_tkt, as it seems to wipe out the cache
* completely before storing the new ticket; it's fine if your application can
* prompt for a password, but I don't have that option. Instead, the code
* simply reads through the ticket file, looking at every single ticket until
* it finds one for the correct service, instance, and realm, that isn't
* expired. (krb_get_cred() returns the first matching ticket, and doesn't
* check if it's expired or not.) If it found a live ticket, good. If not, it
* calls get_ad_tkt() to get a fresh ticket.
*/
/* Please note that error checking is non-existent... */
#define FUDGE 15 /* Extra time allowance, measured in seconds */
#define SERVICE "service"
#define INSTANCE "instance"
....
char realmbuf[REALM_SZ+1];
CREDENTIALS c;
int result;
char match;
/* Get local realm */
krb_get_lrealm(realmbuf,1);
readtick: /* Label used if we have to reread the ticket file */
/* Read the ticket file */
tf_init(TKT_FILE, R_TKT_FIL);
result = tf_get_pname(c.pname);
printf("Result of tf_get_pname: %i\n", result);
result = tf_get_pinst(c.pinst);
printf("Result of tf_get_pinst: %i\n", result);
do
{
result=tf_get_cred(&c); /* Read new credential */
match=FALSE;
if (strcmp(c.service,SERVICE) == 0 /* Correct service? */
&& strcmp(c.instance,INSTANCE) == 0 /* Correct instance? */
&& strcmp(c.realm,realmbuf) == 0 && /* Correct realm? */
time(NULL)<(c.issue_date+5*60*c.lifetime)-FUDGE /* Not expired? */
) match=TRUE;
} while (result==KSUCCESS && match==0);
tf_close();
/* If we couldn't get a usable ticket, we request a new one */
if (result==EOF && match==FALSE)
{ result=get_ad_tkt(SERVICE,INSTANCE,realmbuf,1);
printf("Result of get_ad_tkt: %i\n", result);
goto readtick;
}
else
{
printf("Credential acquired.\n");
}
.....
