GSSAPI - context lifetime

Russ Allbery rra at
Thu May 29 17:23:09 EDT 2008

"Machin, Glenn D" <GMachin at> writes:

> I apologize if this is not the right forum for this question.
> The gss_wrap and seal routines are dependent on the context endtime. The
> context endtime is derived from the service ticket lifetime. For a
> gssftp session if multiple data transfers exceed the ticket lifetime the
> gssftp session fails.
> Can someone tell me why the context is tied to ticket lifetime?

Because all products of a Kerberos authentication should be tied to a
ticket lifetime.  Otherwise, the ticket lifetime isn't meaningfully
enforced; someone who obtains a ticket at some point could authenticate to
a service and simply stay authenticated, and there would be no good way of
rejecting their later operations.

Russ Allbery (rra at             <>

More information about the krbdev mailing list