cccolutils.has_creds() returns True even if the TGT in the cache is expired.
cccolutils.has_creds()
True
Here's my TGT that expired a couple days ago:
$ klist -Af Ticket cache: DIR::/tmp/krb5cc_1000_dir/tktVsHX3r Default principal: ktdreyer@FEDORAPROJECT.ORG Valid starting Expires Service principal 03/05/2018 08:48:18 03/06/2018 08:48:17 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG Flags: FIA
Testing like so:
import cccolutils authenticated = cccolutils.has_creds() if authenticated: print('This user has a valid Kerberos ticket in any credential cache.') else: print('no valid Kerberos ticket in any credential cache.')
has_creds() returns True:
has_creds()
$ python3 ccc.py This user has a valid Kerberos ticket in any credential cache.
Is this behavior expected? I imagine most scripts and callers would want to alert the user if their cache is expired.
Sorry for the delay. This tool is primarily used to deterime the users' username for a specific realm, and even if your ticket expired the chance that your username has changed is small in my opinion. If people/tools start depending on this library to make a decision on whether to error, there will be TOCTOU issues anyway, since the fact that your local clock says it's still valid doesn't mean that the KDC or other principal thinks the same.
It also could technically be that while their TGT has expired, the ticket for the service they're trying to reach is still valid.
As such, I think I'm going to call this "Expected behaviour" and it's up to libraries/servers to check for ticket expiration and report that accurately to the user.
Metadata Update from @puiterwijk: - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.