[16957] in Kerberos-V5-bugs
[krbdev.mit.edu #9132] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Jul 1 21:29:58 2024
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-821844-1719883793-1293.9132-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9132":;
Date: Mon, 01 Jul 2024 21:29:53 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Jul 01 21:29:53 2024: Request 9132 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9132 >
Change krb5_get_credentials() endtime behavior
Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion. These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.
Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.
https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48
Author: Greg Hudson <ghudson@mit.edu>
Commit: e68890329f8ab766f9b746351b5c7d2d18d8dd48
Branch: master
src/include/krb5/krb5.hin | 8 ++++----
src/lib/krb5/krb/get_creds.c | 13 +++++--------
2 files changed, 9 insertions(+), 12 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
