[35917] in Kerberos

home help back first fref pref prev next nref lref last post

Re: On credential cache separation between service ticket and TGT

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Mar 25 14:05:30 2014

Message-ID: <5331C4D3.4090701@mit.edu>
Date: Tue, 25 Mar 2014 14:02:59 -0400
From: Greg Hudson <ghudson@MIT.EDU>
MIME-Version: 1.0
To: Arpit Srivastava <arpit.orb@gmail.com>
In-Reply-To: <CAEvOXU53pY0xYVp47E-DL9fUHsHuv09d_ZJH5hTDyGqy83d8=w@mail.gmail.com>
Cc: kerberos <kerberos@MIT.EDU>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU

On 03/25/2014 12:37 PM, Arpit Srivastava wrote:
[...]
> - gss_init_sec_context called again and a new service ticket acquired.
> 
> Now here, the krb5cc cache would keep on accumulating service tickets of
> same name but different validity time stamps.
> Isn't that superfluous ? 

The default ccache format (FILE) is basically append-only, so there is
no way to reclaim the space used by old tickets.  We could prevent them
from being displayed by klist (as I believe Heimdal does), but that
wouldn't change the performance characteristics.

We have medium-term plans to implement a daemon-backed ccache type like
Heimdal has, which could more easily support removing old service
tickets when getting new ones.

> - Is there any way to renew service tickets the way TGT is renewed
> (atleast till the validity of TGT) using GSS/Krb APIs.

Per RFC 4120, service tickets can be renewed just like TGTs, by
presenting them to the KDC and asking for a new ticket.  However:

* Heimdal doesn't implement renewing non-TGTs (by my reading of the
code), and I'm not sure whether Active Directory implements it.

* Whether or not they are TGTs, tickets can only be renewed while they
are still valid.  So if you got a 20-minute service ticket, used it
once, then didn't use it again until it was expired, you wouldn't be
able to renew it.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post