[krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed
Russ Allbery via RT
rt-comment at krbdev.mit.edu
Fri Sep 8 22:42:52 EDT 2006
Quanah Gibson-Mount via RT <rt-comment at krbdev.mit.edu> writes:
> Thanks Simon for the follow-up. So it sounds like then, the error here
> really is inside cyrus-sasl then?
There is at least *some* error inside Cyrus SASL. The behavior that we're
seeing (in a different context than the one Quanah originally raised) is
that Cyrus SASL will go into a tight loop inside the library logging
messages about expired contexts without ever returning to the application.
That's clearly broken. I just haven't been able to find where the
brokenness is yet (mostly because I haven't had a chance to look in
depth).
Whether there's also a separate error in Kerberos is a different question.
It's looking to me like there's actually (arguable) incorrect behavior in
Heimdal, in that once a Kerberos ticket expires, I think a strong argument
can be made that the products of that ticket, such as the session key used
to provide confidentiality, are no longer valid either.
I don't know what that would mean for, say, a version of ssh that did
integrity protection using GSSAPI, though. Having your login session go
away because your original ticket expired might be technically correct but
sounds rather bad.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krb5-bugs
mailing list