[krbdev.mit.edu #2620] Don't expire contexts when tickets expire
Sam Hartman
hartmans at MIT.EDU
Mon Jul 5 18:47:57 EDT 2004
>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
Douglas> Sam Hartman via RT wrote:
>> we have agreed to a customer requirement that context
>> expiration not happen when ticket expiration happens.
>>
>> The tricky part here is to figure out what gss_inquire_context
>> should return. I'd really rather make the lifetime advisory
>> but I'm not sure that is consistent with the spec.
Douglas> It may not be consistent, but it is the pratical thing to
Douglas> do. This should be one of the issues for KITTEN.
It's an issue for kitten already.
Clearly something in this space needs to be done. Options are:
* Have krb5 credentials claim they have indefinite lifetime at the
gssapi layer; clearly consistent with the spec
* Have krb5 credentials claim their correct lifetime and have gss
contexts claim indefinite lifetime; also probably consistent with
the spec.
* Treat the lifetime as advisory and never expire contexts. This
allows for best application design but may be inconsistent with the
spec.
More information about the krb5-bugs
mailing list