Bug 7605 - Kerberos TGTs aren't refreshed/recreated on reconnect
Summary: Kerberos TGTs aren't refreshed/recreated on reconnect
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
Depends on: 2466
  Show dependency treegraph
Reported: 2020-12-09 09:32 CET by Pierre Ossman
Modified: 2022-10-12 13:57 CEST (History)
0 users

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2020-12-09 09:32:38 CET
If you use ThinLinc on a Kerberos capable system then the user will get a TGT as part of the session creation (assuming a password was available for SSO). However this TGT will eventually expire and become useless. At this point many things might break for the user.

The responsibility of refreshing this ticket lies at least partially with ThinLinc as with a local login unlocking the screensaver would yield a fresh TGT for the user. Since the screen saver is generally not used with ThinLinc, instead replaced with a idle timer and reconnect, the normal mechanism doesn't work.
Comment 2 Pierre Ossman cendio 2021-12-06 16:20:19 CET
Refreshing is now commonly handled by a central daemon, generally sssd. This is done by letting it own the ticket cache via the KCM cache method:


This doesn't solve the issue if the TGT is completely expired and needs a new full authentication though.

Note that this also means a shared credentials cache, rather than one per session. If you configure some other service (e.g. sshd) to clean out the cache on logout then it can affect ThinLinc adversely. We need to decide if we consider that a ThinLinc problem or a sshd problem.
Comment 4 Pierre Ossman cendio 2022-10-12 13:57:42 CEST
OpenSSH does indeed nuke those shared credentials by default. Red Hat/Fedora noticed that here and changed their default:


We probably need to check the different distributions here.

Note You need to log in before you can comment on or make changes to this bug.