GSSAPI - context lifetime
Russ Allbery
rra at stanford.edu
Thu May 29 17:23:09 EDT 2008
"Machin, Glenn D" <GMachin at sandia.gov> writes:
> I apologize if this is not the right forum for this question.
>
> The gss_wrap and seal routines are dependent on the context endtime. The
> context endtime is derived from the service ticket lifetime. For a
> gssftp session if multiple data transfers exceed the ticket lifetime the
> gssftp session fails.
>
> Can someone tell me why the context is tied to ticket lifetime?
Because all products of a Kerberos authentication should be tied to a
ticket lifetime. Otherwise, the ticket lifetime isn't meaningfully
enforced; someone who obtains a ticket at some point could authenticate to
a service and simply stay authenticated, and there would be no good way of
rejecting their later operations.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list