[15893] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Renewable service tickets

daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Wed Jun 9 14:50:52 2010

X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4C0FE283.2020102@secure-endpoints.com>
Date: Wed, 09 Jun 2010 14:50:43 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <201006091659.o59Gxf5X002414@outgoing.mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============2082396996=="
Errors-To: krbdev-bounces@mit.edu

This is a cryptographically signed message in MIME format.

--===============2082396996==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
	micalg=sha1; boundary="------------ms080405020009000604020205"

This is a cryptographically signed message in MIME format.

--------------ms080405020009000604020205
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 6/9/2010 12:59 PM, ghudson@mit.edu wrote:
>   3. It is a pretty dubious assumption that the caller has any
>   interest in a renewable service ticket.  Jeff Altman pointed out
>   that the caller *could* sever the service ticket from the TGT and
>   pass it to some other process which could then renew it, but this is
>   pretty exotic behavior, and I'm confident that no one is doing so.
>   As evidence, I'll point out that krb5_get_renewed_creds() has been
>   broken for non-TGT ticket renewals for its entire lifetime up until
>   I fixed it on trunk on April 12.  If we do find a reason to support
>   this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
>   application to explicitly request renewable service tickets (and
>   provide a default value for renew_till as noted in (1)).

Network Identity Manager has logic to perform service ticket renewals
when the TGT is not present and the service ticket is renewable.
I will have to look at your fix to the trunk because I know this
functionality has worked in the past.  It certainly works with the
MSLSA: interface and with Heimdal.

Jeffrey Altman





--------------ms080405020009000604020205--


--===============2082396996==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============2082396996==--


home help back first fref pref prev next nref lref last post