[krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed
Quanah Gibson-Mount via RT
rt-comment at krbdev.mit.edu
Fri Sep 8 12:08:59 EDT 2006
--On Friday, September 08, 2006 5:33 AM -0400 Simon Wilkinson via RT
<rt-comment at krbdev.mit.edu> wrote:
> As the person quoted right at the beginning, I should probably
> contribute my findings here.
>
> I don't believe that ticket refresh is an issue. I can quite happily
> refresh, destroy, or replace my Kerberos credentials from under a
> running GSSAPI context, without causing that context to break.
>
> The issue (if there is an issue) is that Heimdal and MIT's behaviour
> differ when the initiator's credentials do actually expire. Heimdal
> allows the context to continue to be used for wrapping operations
> past expiry - MIT expires the context, and calls to wrap() or unwrap
> () fail. This difference in behaviour is an issue when using SASL
> applications with security layers, as the only way to renew the
> context is to reconnect to the server. In addition, many applications
> have inadequate error handling around their security layer
> implementations.
>
> I suspect that the current MIT behaviour is correct. Whilst there's
> no explicit language in RFC2743, it suggests that the length of time
> for which the context will be valid depends on credential lifetime.
Thanks Simon for the follow-up. So it sounds like then, the error here
really is inside cyrus-sasl then?
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the krb5-bugs
mailing list