Set a more reasonable timeout for gss auth cache. svcgssd gives info to the kernel to gss authentication and encryption. This information currently has no expiry time and is never flushed so it will collected forever and eventually cause a significant waste of memory. So set the expiry times smaller. For session initialisation, the context info should only be needed once. So set a timeout of one minutes. For ongoing context information it could be needed for some time, so set a timeot of one hour. See bnc#442490 From: NeilBrown Signed-off-by: NeilBrown --- utils/svcgssd/svcgssd_proc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) Index: nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c =================================================================== --- nfs-utils-1.1.3.orig/utils/gssd/svcgssd_proc.c +++ nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c @@ -86,7 +86,9 @@ do_svc_downcall(gss_buffer_desc *out_han } qword_printhex(f, out_handle->value, out_handle->length); /* XXX are types OK for the rest of this? */ - qword_printint(f, 0x7fffffff); /*XXX need a better timeout */ + + /* 'context' could be needed for a while. */ + qword_printint(f, time(0) + 60*60); qword_printint(f, cred->cr_uid); qword_printint(f, cred->cr_gid); qword_printint(f, cred->cr_ngroups); @@ -130,7 +132,8 @@ send_response(FILE *f, gss_buffer_desc * qword_addhex(&bp, &blen, in_handle->value, in_handle->length); qword_addhex(&bp, &blen, in_token->value, in_token->length); - qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */ + /* INIT context info will only be needed for a short while */ + qword_addint(&bp, &blen, time(0) + 60); qword_adduint(&bp, &blen, maj_stat); qword_adduint(&bp, &blen, min_stat); qword_addhex(&bp, &blen, out_handle->value, out_handle->length);