GSSAPI - context lifetime
simon at sxw.org.uk
Fri May 30 08:04:00 EDT 2008
On 29 May 2008, at 22:23, Russ Allbery wrote:
> Because all products of a Kerberos authentication should be tied to a
> ticket lifetime. Otherwise, the ticket lifetime isn't meaningfully
> enforced; someone who obtains a ticket at some point could
> authenticate to
> a service and simply stay authenticated, and there would be no good
> way of
> rejecting their later operations.
This issue appears from time to time on the OpenLDAP list.
Unfortunately, Heimdal and MIT have different behaviours in this area
- Heimdal allows gss_wrap() and unwrap() to be used within an expired
context. The OpenLDAP code fails to handle the situation where these
calls fail within the SASL layer, and hangs when attempting to
perform connections with an expired context. Essentially, this means
that MIT Kerberos cannot be used to back the GSSAPI SASL mechanism
within their replication code, without requiring a server restart
every time the GSS context expires.
More information about the krbdev