Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Clear out cached access keys for remote servers Network
This is a hint to avoid a potential security issue caused by a standard system function (or feature). If you connect to a service on a remote server, you will be asked for your login and password. If you say No to the 'Remember this password in my keychain' dialog, you may wonder why you will not be asked for your login and password next time you connect to the service.

In my case, I wanted show a remote service like VNC to a colleague while he was logged in on the local machine. I disconnected from the service and was able to connect to it again without being prompted for my login and password. This can be a security issue for many reasons, e.g. working on someone else's account etc.

Solution: To prevent reconnecting without a password, you need to delete the Kerberos Ticket that was created while connecting to the service the first time. This ticket expires after a certain amount of time (10 hours by default), but I guess a ticket that grants access for 10 hours is not what most people expect when telling the system not to remember their login/password for the service. At the least, I'd expect to see a warning about the 10-hour ticket being created.

To delete the ticket, open Keychain Access (in the Applications » Utilities folder) and choose Keychain Access » Kerberos Ticket Viewer from the menu. (The viewer is a actually a separate application, located in /System » Library » CoreServices.). In the viewer, delete the listed ticket associated with the service. By the way, the Kerberos Ticket Viewer program has many preferences, e.g. to set the default time of 10 hours to less, that you can set in the program's Preferences screen.
    •    
  • Currently 2.13 / 5
  You rated: 3 / 5 (8 votes cast)
 
[10,648 views]  

Clear out cached access keys for remote servers | 3 comments | Create New Account
Click here to return to the 'Clear out cached access keys for remote servers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Clear out cached access keys for remote servers
Authored by: skrawcke on May 06, '08 08:55:37AM
you can also use the command line to do the same thing.. to list your tickets use the
klist
command, you will see some ting like this
>% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: steve@DOMAIN.COM

Valid Starting     Expires            Service Principal
05/06/08 11:50:02  05/06/08 21:50:02  krbtgt/DOMAIN.COM@DOMAIN.COM
	renew until 05/13/08 11:50:02
to destroy the ticket use the
kdestroy
command to destroy only your ticket you can do
>% kdestroy -p steve@DOMAIN.COM



[ Reply to This | # ]
Clear out cached access keys for remote servers
Authored by: mubarak on May 06, '08 06:24:06PM

Or just type

kdestroy -a

to destroy all tickets.



[ Reply to This | # ]
Clear out cached access keys for remote servers
Authored by: chetpot on Dec 15, '10 06:14:20PM
here is another option for use on your personal system since it requires editing your local plist.

From the CLI type:

% open ~/Library/Preferences/edu.mit.Kerberos.IdentityManagement.plist

then change

<key>CredentialLifetime</key>
<integer>36000</integer>
to

<key>CredentialLifetime</key>
<integer>1</integer>


[ Reply to This | # ]