<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2656.13">
<TITLE>GSSAPI context time limitation</TITLE>
</HEAD>
<BODY>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">I</FONT> <FONT SIZE=2 FACE="Arial">have</FONT> <FONT SIZE=2 FACE="Arial">two servers</FONT> <FONT SIZE=2 FACE="Arial">that</FONT><FONT SIZE=2 FACE="Arial"></FONT> <FONT SIZE=2 FACE="Arial">provided services. Call one the master and one the slave. Either one of these servers can be</FONT> <FONT SIZE=2 FACE="Arial">accesses</FONT><FONT SIZE=2 FACE="Arial">, but</FONT> <FONT SIZE=2 FACE="Arial">I</FONT><FONT SIZE=2 FACE="Arial"> want to create a</FONT> <FONT SIZE=2 FACE="Arial">communications</FONT><FONT SIZE=2 FACE="Arial"></FONT> <FONT SIZE=2 FACE="Arial">channel for the messages to synchronize the data in real (or near real) time. </FONT> <FONT SIZE=2 FACE="Arial"> I would like to keep the</FONT> <FONT SIZE=2 FACE="Arial">communications</FONT> <FONT SIZE=2 FACE="Arial">channel open all the time for speed sakes.</FONT><FONT SIZE=2 FACE="Arial"></FONT> </P>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">The master is considered the</FONT> <FONT SIZE=2 FACE="Arial">gssapi</FONT> <FONT SIZE=2 FACE="Arial">server.</FONT></P>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">The slave through native krb5 code acquires credentials from</FONT> <FONT SIZE=2 FACE="Arial">a keytab file, then stores them in a temp credentials cache.</FONT> <FONT SIZE=2 FACE="Arial">I open a</FONT> <FONT SIZE=2 FACE="Arial">communications</FONT><FONT SIZE=2 FACE="Arial"> channel (TCP),</FONT><FONT SIZE=2 FACE="Arial"> then use gssapi to create a gssapi context with the master and send my messages back and forth.</FONT></P>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">The problem arises that these services may be up for an extended period of time, yet the gssapi context will expire</FONT><FONT SIZE=2 FACE="Arial">. Is there a way to establish a gssapi context, and use wrap and unwrap despite the fact that the context, or even the TGT used to establish the context may be expired?</FONT></P>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">Thanks for your help.</FONT></P>
<P ALIGN=LEFT><FONT SIZE=2 FACE="Arial">-dan</FONT></P>
<P ALIGN=LEFT><A NAME="_MailAutoSig"><FONT COLOR="#000000" SIZE=2 FACE="Arial">--------------------------------------</FONT></A></P>
<P ALIGN=LEFT><FONT COLOR="#000000" SIZE=2 FACE="Arial">Daniel Wachdorf</FONT></P>
<P ALIGN=LEFT><FONT COLOR="#000000" SIZE=2 FACE="Arial">drwachd@sandia.gov</FONT></P>
<P ALIGN=LEFT><FONT COLOR="#000000" SIZE=2 FACE="Arial">Sandia National Laboratories</FONT></P>
<P ALIGN=LEFT><FONT COLOR="#000000" SIZE=2 FACE="Arial">System Security Research and Integration</FONT></P>
<P ALIGN=LEFT><FONT COLOR="#000000" SIZE=2 FACE="Arial">505-284-8060</FONT></P>
<BR>
<P ALIGN=LEFT></P>
</BODY>
</HTML>