#6 has_creds() does not check ticket expiration
Closed 2 years ago by puiterwijk. Opened 4 years ago by ktdreyer.

cccolutils.has_creds() returns True even if the TGT in the cache is expired.

Here's my TGT that expired a couple days ago:

$ klist -Af
Ticket cache: DIR::/tmp/krb5cc_1000_dir/tktVsHX3r
Default principal: ktdreyer@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
03/05/2018 08:48:18  03/06/2018 08:48:17  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
    Flags: FIA

Testing like so:

import cccolutils

authenticated = cccolutils.has_creds()
if authenticated:
    print('This user has a valid Kerberos ticket in any credential cache.')
    print('no valid Kerberos ticket in any credential cache.')

has_creds() returns True:

$ python3 ccc.py 
This user has a valid Kerberos ticket in any credential cache.

Is this behavior expected? I imagine most scripts and callers would want to alert the user if their cache is expired.

Sorry for the delay.
This tool is primarily used to deterime the users' username for a specific realm, and even if your ticket expired the chance that your username has changed is small in my opinion.
If people/tools start depending on this library to make a decision on whether to error, there will be TOCTOU issues anyway, since the fact that your local clock says it's still valid doesn't mean that the KDC or other principal thinks the same.

It also could technically be that while their TGT has expired, the ticket for the service they're trying to reach is still valid.

As such, I think I'm going to call this "Expected behaviour" and it's up to libraries/servers to check for ticket expiration and report that accurately to the user.

Metadata Update from @puiterwijk:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.