New KRB5_NO_TICKET_STORE env var

kuser/kgetcred.1

@@ -164,6 +164,20 @@ same behavior as using the
 .Fl Fl canonicalize
 .Fl Fl hostbased
 options here.
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev KRB5CCNAME
+Specifies the default credentials cache.
+.It Ev KRB5_CONFIG
+The file name of
+.Pa krb5.conf ,
+the default being
+.Pa /etc/krb5.conf .
+.It Ev KRB5_NO_TICKET_STORE
+If this variable is present in the environment, any service tickets obtained
+are not added to the credential cache.  This affects all heimdal applications
+and library clients, not just kgetcred.
+.El
 .Sh SEE ALSO
 .Xr kinit 1 ,
 .Xr klist 1 ,

lib/krb5/context.c

@@ -179,7 +179,8 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, bool, log_utc,
 	       FALSE, "log_utc");
 
-
+    context->no_ticket_store =
+        getenv("KRB5_NO_TICKET_STORE") != NULL;
 
     /* init dns-proxy slime */
     tmp = krb5_config_get_string(context, NULL, "libdefaults",

lib/krb5/get_cred.c

@@ -1266,6 +1266,8 @@ static void
 store_cred(krb5_context context, krb5_ccache ccache,
 	   krb5_const_principal server_princ, krb5_creds *creds)
 {
+    if (context->no_ticket_store)
+        return;
     if (!krb5_principal_compare(context, creds->server, server_princ) &&
         !krb5_principal_is_krbtgt(context, server_princ)) {
         krb5_principal tmp_princ = creds->server;

lib/krb5/krb5_locl.h

@@ -247,6 +247,7 @@ typedef struct krb5_context_data {
     krb5_boolean scan_interfaces;	/* `ifconfig -a' */
     krb5_boolean srv_lookup;		/* do SRV lookups */
     krb5_boolean srv_try_txt;		/* try TXT records also */
+    krb5_boolean no_ticket_store;       /* Don't store service tickets */
     int32_t fcache_vno;			/* create cache files w/ this
                                            version */
     int num_kt_types;			/* # of registered keytab types */