https://bugzilla.redhat.com/show_bug.cgi?id=1669607
--- Comment #12 from Robbie Harwood <rharwood(a)redhat.com> ---
Expired tickets are only useful to attackers, so there's
absolutely no reason to keep them around.
That's... more reductionist than I think is accurate.
krb5 does change behavior based on the presence of tickets, expired or no. For
instance, consider a collection with credentials for
REDHAT.COM and
IPA.REDHAT.COM (in that order). For
hostname.redhat.com, the credential for
REDHAT.COM will typically be preferred, even if it's expired. Pruning the
credential for
REDHAT.COM will cause the one for
IPA.REDHAT.COM to be used
instead. In that case, pruning is desirable (and for this reason, Simo has
been in favor of it I believe).
However, consider instead the same setup with
REDHAT.COM and
FEDORAPROJECT.ORG.
Pruning expired
REDHAT.COM will cause FEDORAPROJECT.ORG's credential to be
attempted. While this will obviously not work (no cross realm there), the
errors will be confusing to a user who doesn't realize the
REDHAT.COM
credential has been expired (and there's nothing krb5 can do about it because
the ccache expired it out from under us). And it's potentially even more
confusing when cross-realm relationships come into play.
Upstream's position is that the second case is more typical, so in-tree ccache
backends (FILE, DIR, MEMORY, etc.) do not prune. KEYRING prunes.
--
You are receiving this mail because:
You are the assignee for the bug.