-
Notifications
You must be signed in to change notification settings - Fork 52
lifetime argument not respected when initiating credentials #311
-
What went wrong?
The lifetime argument passed to gssapi.Credentials is not respected, freshly-minted creds all come back with a lifetime of 86400.
I am presuming this is naive user error, but can't figure out how to generate credentials with a specific lifetime from python-gssapi. I can run kinit -l 100 to generate lifetime-specific credentials manually.
How do we reproduce?
import gssapi, os cred = gssapi.Credentials(usage='initiate', store={'client_keytab': os.getenv('KRB5_KTNAME')}, lifetime=100) print(cred.inquire().lifetime)
Component versions (python-gssapi, Kerberos, OS / distro, etc.)
All packages installed via conda-forge on Debian 11 under WSL:
$ uname -a Linux WR14F6D8F62EF8 5.15.79.1-microsoft-standard-WSL2 #1 SMP Wed Nov 23 01:01:46 UTC 2022 x86_64 GNU/Linux $ conda list "(python-gssapi|krb5)" # packages in environment at /home/duncan/opt/mambaforge/envs/py311: # # Name Version Build Channel krb5 1.20.1 h81ceb04_0 conda-forge python-gssapi 1.8.2 py311ha54f867_2 conda-forge
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 1 reply
-
You simply can't, the GSSAPI store API has no way to pass in a lifetime.
The only allowed attributes for the latest MIT krb5 mechanism are:
- keytab
- client_keytab
- ccache
- rcache
- password
- verify
Unfortunately not well documented, but you can find it here:
https://github.com/krb5/krb5/blob/50b7ae4b971d2e7b9d16230de966ec5452a367c6/src/lib/gssapi/krb5/gssapiP_krb5.h#L1295-L1300
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks for the prompt response @simo5, this is unfortunate, but not particularly surprising.
Is it possible/reasonable to add some docs to python-gssapi to note that the lifetime argument might not do what it is advertised as doing? (i.e. you can't set the lifetime, but you can retrieve it)
Beta Was this translation helpful? Give feedback.