GSSAPI - context lifetime
Douglas E. Engert
deengert at anl.gov
Thu May 29 17:55:35 EDT 2008
Russ Allbery wrote:
> "Machin, Glenn D" <GMachin at sandia.gov> writes:
>
>> I apologize if this is not the right forum for this question.
>>
>> The gss_wrap and seal routines are dependent on the context endtime. The
>> context endtime is derived from the service ticket lifetime. For a
>> gssftp session if multiple data transfers exceed the ticket lifetime the
>> gssftp session fails.
>>
>> Can someone tell me why the context is tied to ticket lifetime?
>
> Because all products of a Kerberos authentication should be tied to a
> ticket lifetime. Otherwise, the ticket lifetime isn't meaningfully
> enforced; someone who obtains a ticket at some point could authenticate to
> a service and simply stay authenticated, and there would be no good way of
> rejecting their later operations.
Rsh and rlogin with Kerberos have no time limit on their connection. SSH has
no time limit on its connection, even when authenticating using GSS.
Sessions using certificates, passwords or other authentications don't
have timeouts.
I would argue: It should be a policy decision of the service as to the
length of a session. The ticket lifetime *COULD* be used in the decision,
but it should not be forced by the GSSAPI, unless requested by the service
or client.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list