Matt Garman writes:
> Since sending that I basically did exactly what you suggest, more or
> less copying the krb5_init source, but stripping out any cache-related
> stuff. I also request a very short-lived ticket life (30s). So far
> seems pretty straightforward!
Yup, that will work. Note th
Hi Russ, thank you for the (as always) very helpful and detailed
reply... a few follow-up comments:
On Wed, Feb 3, 2016 at 4:47 PM, Russ Allbery wrote:
> You'll want to either perform just the authentication calls without saving
> the resulting cache or use a separate cache (by setting KRB5CCNAME
Matt Garman writes:
> - Will forcing the retrieval of a new ticket interfere in any way
> with the user's current credentials (or his credentials cache)? The
> main reason we currently have Kerberos implemented is for Kerberized
> NFSv4 home directories (i.e. sec=krb5p NFS mount option). So
I'd like to integrate Kerberos into an existing application. In
particular, when this application performs certain operations, I want
to explicitly force the user to re-authenticate. To be clear, the
user will generally already have a valid Kerberos ticket. Despite
that, I want to force him to r