How to re-request expired host tickets?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to re-request expired host tickets?

Victor Sudakov
Dear Colleagues,

Sometimes I have a valid TGT and an expired host ticket, please see an
example below.

How can I make ssh (or any other client) request a new host ticket instead
of the expired one, automagically? In the current situation, there is no
attempt to request a fresh ticket:


$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Mar 23 11:57:19 2016  Mar 30 11:57:19 2016  krbtgt/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
$ ssh noc
otp-md5 489 no1004 ext
Password:

FreeBSD, Heimdal 1.5.2

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to re-request expired host tickets?

Harald Barth-2

> How can I make ssh (or any other client) request a new host ticket instead
> of the expired one, automagically? In the current situation, there is no
> attempt to request a fresh ticket

I think the libkrb which is used by ssh should attempt to get a new service
ticket in this situation. What libkrb is used by your ssh?

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: How to re-request expired host tickets?

Victor Sudakov
Harald Barth wrote:
>
> > How can I make ssh (or any other client) request a new host ticket instead
> > of the expired one, automagically? In the current situation, there is no
> > attempt to request a fresh ticket
>
> I think the libkrb which is used by ssh should attempt to get a new service
> ticket in this situation. What libkrb is used by your ssh?
>

I've written in the previous message it's FreeBSD 10, Heimdal 1.5.2

[sudakov@vas ~] uname -a
FreeBSD vas.sibptus.ru 10.2-RELEASE-p9 FreeBSD 10.2-RELEASE-p9 #0: Thu Jan 14 01:32:46 UTC 2016     [hidden email]:/usr/obj/usr/src/sys/GENERIC  amd64
[sudakov@vas ~] ldd `which ssh`
/usr/bin/ssh:
        libssh.so.5 => /usr/lib/private/libssh.so.5 (0x800849000)
        libutil.so.9 => /lib/libutil.so.9 (0x800ad6000)
        libldns.so.5 => /usr/lib/private/libldns.so.5 (0x800ce8000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800f44000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x80114d000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x80136d000)
        libz.so.6 => /lib/libz.so.6 (0x801761000)
        libc.so.7 => /lib/libc.so.7 (0x801977000)
        libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x801d23000)
        libhx509.so.11 => /usr/lib/libhx509.so.11 (0x801f9b000)
        libasn1.so.11 => /usr/lib/libasn1.so.11 (0x8021e5000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x802482000)
        libmd.so.6 => /lib/libmd.so.6 (0x802684000)
        libroken.so.11 => /usr/lib/libroken.so.11 (0x802894000)
        libwind.so.11 => /usr/lib/libwind.so.11 (0x802aa6000)
        libheimbase.so.11 => /usr/lib/libheimbase.so.11 (0x802cce000)
        libheimipcc.so.11 => /usr/lib/private/libheimipcc.so.11 (0x802ed2000)
        libthr.so.3 => /lib/libthr.so.3 (0x8030d4000)
[sudakov@vas ~]
[sudakov@vas ~] kinit --version
kinit (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska H"ogskolan
Send bug-reports to [hidden email]
[sudakov@vas ~]


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to re-request expired host tickets?

Harald Barth-2
> I've written in the previous message it's FreeBSD 10, Heimdal 1.5.2

Ah, sorry. Does it work manually with kgetcred?

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: How to re-request expired host tickets?

Victor Sudakov
Harald Barth wrote:
> > I've written in the previous message it's FreeBSD 10, Heimdal 1.5.2
>
> Ah, sorry. Does it work manually with kgetcred?

kgetcred yields an interesting result. With each invocation, it adds one
more expired ticket for the service. Please look:

[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Mar 23 11:57:19 2016  Mar 30 11:57:19 2016  krbtgt/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
[sudakov@vas ~] kgetcred host/[hidden email]
[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Mar 23 11:57:19 2016  Mar 30 11:57:19 2016  krbtgt/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
[sudakov@vas ~] kgetcred host/[hidden email]
[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Mar 23 11:57:19 2016  Mar 30 11:57:19 2016  krbtgt/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
Mar 23 11:57:30 2016  >>>Expired<<<         host/[hidden email]
[sudakov@vas ~]


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]