GSSAPI - context lifetime
rra at stanford.edu
Fri May 30 13:12:35 EDT 2008
Simon Wilkinson <simon at sxw.org.uk> writes:
> This issue appears from time to time on the OpenLDAP list.
> Unfortunately, Heimdal and MIT have different behaviours in this area -
> Heimdal allows gss_wrap() and unwrap() to be used within an expired
> context. The OpenLDAP code fails to handle the situation where these
> calls fail within the SASL layer, and hangs when attempting to perform
> connections with an expired context. Essentially, this means that MIT
> Kerberos cannot be used to back the GSSAPI SASL mechanism within their
> replication code, without requiring a server restart every time the GSS
> context expires.
Yeah, the problem with SASL not knowing how to reauthenticate or see
expiration of sessions is a major problem, and I agree that this makes a
completely "formally" proper treatment of session expiration hard enough
that it may not be a good idea.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev