On Wed, Aug 09, 2017 at 03:01:16PM -0400, Jeffrey Altman wrote:
> I hope this is an unnecessary question, but will all Kerberos libraries
> that parse the file cache know to skip the expired entries and keep
> searching? Or are there implementations that will only return the first
> service principal match?
The krb5 API used, krb5_cc_retrieve_cred(), supports this going back a
long time in MIT, and probably in Heimdal, but you have to ask for this
by including KRB5_TC_MATCH_TIMES in the options flags argument.