RT/krbdev.mit.edu: Ticket #6739 Behavior change: gssapi context expiration

RT/krbdev.mit.edu: Ticket #6739 Behavior change: gssapi context expiration

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
6739

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component
Version_reported
Version_Fixed	1.8.3
Target_Version	1.8.3
Tags	pullup

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

Dates

Created:	Tue Jun 8 11:45:18 2010
Starts:	Not set
Started:	Tue Jun 8 12:14:25 2010
Last Contact:	Thu Jun 10 17:14:28 2010
Due:	Not set
Updated:	Thu Jun 10 17:14:28 2010 by tlyu

People

Owner
ghudson
Requestors
hartmans@mit.edu
Cc

AdminCc

More about Sam Hartman

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

1220: automatically updating tgt keys desired (new)
1221: password history should use master key (new)
1231: kdc/kdc_util.c: add_to_transited_encoding fails to support null fields (new)
1272: ktutil addent is not documented (new)
1273: kadmin should gain option to remove old keys from keytab (new)
1274: kadmin should not authenticate simply to run the ktrem command (new)
1340: capaths documentation insufficient (open)
1341: krb5.conf and kdc.conf should be merged (new)
1366: src/lib/gssapi/krb5/add_cred.c could benefit from goto (new)
1407: KDC should not check transited policy on intermediat tgts (new)
1445: GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case (new)
1505: use_master loop seems at wrong abstraction (new)
1507: Convert principal name accessors to functions (new)
1516: reject_bad_transit not handled through definitions.texinfo (new)
1671: no locking used when reading/writing replay cache? (new)
2078: [Ray Schneider] ksu man page nit (new)
2110: MIT KDC fails to handle unknown padata (open)
2497: krb5_fcc_generate_new should use mkstemp (open)
2555: kadmind uses channel bindings (new)
2620: Don't expire contexts when tickets expire (new)
2696: Nullsoft Installer does not preserve configuration settings (open)
2794: Implement krb5_c_prf and GSSAPI prf (new)
3181: init_ctx.c has goto labels crossing outside of switch arms (new)
3328: src/lib/gssapi/krb5/3des.txt incorrect (new)
3425: Buffer overflows in kdb_load_library could lead to arbitrary code execution (new)

History

Display mode: [Brief headers] [Full headers]

Tue Jun 8 11:45:18 2010	hartmans - Ticket created
To: krb5-bugs@MIT.EDU Subject: Behavior change: gssapi context expiration Date: Tue, 8 Jun 2010 11:45:14 -0400 (EDT) From: hartmans@MIT.EDU (Sam Hartman) discussion at the Kerberos upgrade event strongly suggests that everyone would be happier if gss_wrap and gss_get_mic worked even after conxet expriation. --Sam		Download (untitled) 164b
Tue Jun 8 12:14:25 2010	ghudson - Given to ghudson
Tue Jun 8 12:14:25 2010	ghudson - Target_Version 1.8.2 added
Tue Jun 8 12:14:25 2010	ghudson - Status changed from new to review
Tue Jun 8 12:14:25 2010	ghudson - Tags pullup added
Tue Jun 8 12:14:25 2010	ghudson - Correspondence added
From: ghudson@mit.edu Subject: SVN Commit Stop checking the current time against the context expiration time in the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. http://src.mit.edu/fisheye/changelog/krb5/?cs=24120 Commit By: ghudson Revision: 24120 Changed Files: U trunk/src/lib/gssapi/krb5/k5unsealiov.c		Download (untitled) 580b
Tue Jun 8 12:26:24 2010	ghudson - Correspondence added
From: ghudson@mit.edu Subject: SVN Commit Stop checking the current time against the context expiration time in the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. (This is a continuation of r24120, which should have contained the changes to all four files.) http://src.mit.edu/fisheye/changelog/krb5/?cs=24121 Commit By: ghudson Revision: 24121 Changed Files: U trunk/src/lib/gssapi/krb5/k5seal.c U trunk/src/lib/gssapi/krb5/k5sealiov.c U trunk/src/lib/gssapi/krb5/k5unseal.c		Download (untitled) 754b
Thu Jun 10 13:11:41 2010	tlyu - Target_Version 1.8.2 changed to 1.8.3
Thu Jun 10 17:14:27 2010	tlyu - Status changed from review to resolved
Thu Jun 10 17:14:27 2010	tlyu - Version_Fixed 1.8.3 added
Thu Jun 10 17:14:27 2010	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r24120, r24121 from trunk ------------------------------------------------------------------------ r24120 \| ghudson \| 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) \| 12 lines ticket: 6739 target_version: 1.8.2 tags: pullup Stop checking the current time against the context expiration time in the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. http://src.mit.edu/fisheye/changelog/krb5/?cs=24130 Commit By: tlyu Revision: 24130 Changed Files: U branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c U branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c U branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c U branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c		Download (untitled) 991b