[15893] in Kerberos_V5_Development
Re: Renewable service tickets
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Wed Jun 9 14:50:52 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4C0FE283.2020102@secure-endpoints.com>
Date: Wed, 09 Jun 2010 14:50:43 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <201006091659.o59Gxf5X002414@outgoing.mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============2082396996=="
Errors-To: krbdev-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2082396996==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms080405020009000604020205"
This is a cryptographically signed message in MIME format.
--------------ms080405020009000604020205
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 6/9/2010 12:59 PM, ghudson@mit.edu wrote:
> 3. It is a pretty dubious assumption that the caller has any
> interest in a renewable service ticket. Jeff Altman pointed out
> that the caller *could* sever the service ticket from the TGT and
> pass it to some other process which could then renew it, but this is
> pretty exotic behavior, and I'm confident that no one is doing so.
> As evidence, I'll point out that krb5_get_renewed_creds() has been
> broken for non-TGT ticket renewals for its entire lifetime up until
> I fixed it on trunk on April 12. If we do find a reason to support
> this use case, we can add a KRB5_GC_RENEWABLE flag to allow the
> application to explicitly request renewable service tickets (and
> provide a default value for renew_till as noted in (1)).
Network Identity Manager has logic to perform service ticket renewals
when the TGT is not present and the service ticket is renewable.
I will have to look at your fix to the trunk because I know this
functionality has worked in the past. It certainly works with the
MSLSA: interface and with Heimdal.
Jeffrey Altman
--------------ms080405020009000604020205--
--===============2082396996==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============2082396996==--