Re: Destroy expired tickets? - Kerberos

This is a discussion on Re: Destroy expired tickets? - Kerberos ; On Nov 5, 2008, at 21:16, Stefan Monnier wrote: > How can I destroy expired tickets? > > They're useless at best, and in some cases they're positively harmful > (their presence prompts `ssh' to contact the KDC to try ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Destroy expired tickets?

  1. Re: Destroy expired tickets?

    On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
    > How can I destroy expired tickets?
    >
    > They're useless at best, and in some cases they're positively harmful
    > (their presence prompts `ssh' to contact the KDC to try and delegate
    > credentials, which is a waste if the tickets are expired, and is
    > really
    > annoying when the KDC times out because it's behind a firewall).


    Hm, that sounds a bit broken. I could see, maybe, inferring that you
    want to use Kerberos and prompting to get new tickets, but trying to
    forward expired ones is no good...

    > But I couldn't find any command that would destroy only expired
    > tickets.
    > Any idea what I should use? I guess I could try and parse the
    > date&time
    > in "klist", but it'd be a pain in the rear and blatantly brittle.


    Running "klist -s" and testing the exit status should let you figure
    out if there are currently-valid tickets. I don't know if there's a
    way to test for "tickets exist and are not valid", though perhaps
    "klist >& /dev/null" (C shell syntax) succeeding and "klist -s"
    failing would do the job. Or you could try "klist -s" and then just
    run "kdestroy >& /dev/null", ignoring any errors caused by a ticket
    cache not existing.

    Ken

  2. Re: Destroy expired tickets?

    >>>>> "KR" == Ken Raeburn writes:

    KR> On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
    >> How can I destroy expired tickets?
    >>
    >> They're useless at best, and in some cases they're positively
    >> harmful (their presence prompts `ssh' to contact the KDC to try and
    >> delegate credentials, which is a waste if the tickets are expired,
    >> and is really annoying when the KDC times out because it's behind a
    >> firewall).


    KR> Hm, that sounds a bit broken. I could see, maybe, inferring that
    KR> you want to use Kerberos and prompting to get new tickets, but
    KR> trying to forward expired ones is no good...

    >> But I couldn't find any command that would destroy only expired
    >> tickets. Any idea what I should use? I guess I could try and
    >> parse the date&time in "klist", but it'd be a pain in the rear and
    >> blatantly brittle.


    FWIW, the Perl Authen::Krb5 module would allow you to write such a utility
    pretty easily.

    KR> Running "klist -s" and testing the exit status should let you
    KR> figure out if there are currently-valid tickets. I don't know if
    KR> there's a way to test for "tickets exist and are not valid",
    KR> though perhaps "klist >& /dev/null" (C shell syntax) succeeding
    KR> and "klist -s" failing would do the job. Or you could try "klist
    KR> -s" and then just run "kdestroy >& /dev/null", ignoring any errors
    KR> caused by a ticket cache not existing.

    KR> Ken

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread