[krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed
Simon Wilkinson via RT
rt-comment at krbdev.mit.edu
Fri Sep 8 05:33:16 EDT 2006
As the person quoted right at the beginning, I should probably
contribute my findings here.
I don't believe that ticket refresh is an issue. I can quite happily
refresh, destroy, or replace my Kerberos credentials from under a
running GSSAPI context, without causing that context to break.
The issue (if there is an issue) is that Heimdal and MIT's behaviour
differ when the initiator's credentials do actually expire. Heimdal
allows the context to continue to be used for wrapping operations
past expiry - MIT expires the context, and calls to wrap() or unwrap
() fail. This difference in behaviour is an issue when using SASL
applications with security layers, as the only way to renew the
context is to reconnect to the server. In addition, many applications
have inadequate error handling around their security layer
implementations.
I suspect that the current MIT behaviour is correct. Whilst there's
no explicit language in RFC2743, it suggests that the length of time
for which the context will be valid depends on credential lifetime.
Simon.
More information about the krb5-bugs
mailing list