GSSAPI - context lifetime

Simon Wilkinson simon at
Fri May 30 08:04:00 EDT 2008

On 29 May 2008, at 22:23, Russ Allbery wrote:

> Because all products of a Kerberos authentication should be tied to a
> ticket lifetime.  Otherwise, the ticket lifetime isn't meaningfully
> enforced; someone who obtains a ticket at some point could  
> authenticate to
> a service and simply stay authenticated, and there would be no good  
> way of
> rejecting their later operations.

This issue appears from time to time on the OpenLDAP list.  
Unfortunately, Heimdal and MIT have different behaviours in this area  
- Heimdal allows gss_wrap() and unwrap() to be used within an expired  
context. The OpenLDAP code fails to handle the situation where these  
calls fail within the SASL layer, and hangs when attempting to  
perform connections with an expired context. Essentially, this means  
that MIT Kerberos cannot be used to back the GSSAPI SASL mechanism  
within their replication code, without requiring a server restart  
every time the GSS context expires.


More information about the krbdev mailing list