GSSAPI - context lifetime

Douglas E. Engert deengert at
Thu May 29 17:55:35 EDT 2008

Russ Allbery wrote:
> "Machin, Glenn D" <GMachin at> writes:
>> I apologize if this is not the right forum for this question.
>> The gss_wrap and seal routines are dependent on the context endtime. The
>> context endtime is derived from the service ticket lifetime. For a
>> gssftp session if multiple data transfers exceed the ticket lifetime the
>> gssftp session fails.
>> Can someone tell me why the context is tied to ticket lifetime?
> Because all products of a Kerberos authentication should be tied to a
> ticket lifetime.  Otherwise, the ticket lifetime isn't meaningfully
> enforced; someone who obtains a ticket at some point could authenticate to
> a service and simply stay authenticated, and there would be no good way of
> rejecting their later operations.

Rsh and rlogin with Kerberos have no time limit on their connection. SSH has
no time limit on its connection, even when authenticating using GSS.

Sessions using certificates, passwords or other authentications don't
have timeouts.

I would argue: It should be a policy decision of the service as to the
length of a session. The ticket lifetime *COULD* be used in the decision,
but it should not be forced by the GSSAPI, unless requested by the service
or client.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list