GSS krb5 mech and ticket expiration

ghudson@MIT.EDU ghudson at MIT.EDU
Tue Jun 8 12:24:37 EDT 2010

I recently committed a change to stop checking for context expiration
times in the krb5 GSS mech's wrap and unwrap functions.  From the
commit message:

    [...] Heimdal doesn't do it, and it generally results in poor app
    behavior when a ticket expires.  In exchange, it doesn't provide
    much security benefit since it's not enforced across the
    board--for example, ssh sessions can persist beyond ticket
    expiration time since they don't use GSS to wrap payload data.

A factor in our decision was that some users were considering
switching from MIT krb5 to Heimdal for client and application server
libraries purely based on this behavior.  Note that an application can
still inquire the context for the expiration time and perform its own
(hopefully graceful) session expiration or rekeying.

The change is tagged to go into 1.8.2.  I'm bringing it to this list's
attention in case someone has a strong argument for the old behavior
that we're not aware of.  There's obviously a tradeoff between
security and user experience here, but at this point we think user
experience has the more compelling case.

More information about the krbdev mailing list