RT RT/krbdev.mit.edu: Ticket #6739 Behavior change: gssapi context expiration Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6739
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.8.3
Target_Version
  • 1.8.3
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 4222: (Nobody) GSSAPI context being destroyed when ticket cache renewed [resolved]
 
 Dates  
Created: Tue Jun 8 11:45:18 2010
Starts: Not set
Started: Tue Jun 8 12:14:25 2010
Last Contact: Thu Jun 10 17:14:28 2010
Due: Not set
Updated: Thu Jun 10 17:14:28 2010 by tlyu
 

 People  
Owner
 ghudson
Requestors
 hartmans@mit.edu
Cc
 
AdminCc
 
 

 More about Sam Hartman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Jun  8 11:45:18 2010  hartmans - Ticket created    
     
To: krb5-bugs@MIT.EDU
Subject: Behavior change: gssapi context expiration
Date: Tue,  8 Jun 2010 11:45:14 -0400 (EDT)
From: hartmans@MIT.EDU (Sam Hartman)



discussion at the Kerberos upgrade event strongly suggests that
everyone would be happier if gss_wrap and gss_get_mic worked even
after conxet expriation.

--Sam


Download (untitled) 164b
      Tue Jun  8 12:14:25 2010  ghudson - Given to ghudson    
      Tue Jun  8 12:14:25 2010  ghudson - Target_Version 1.8.2 added    
      Tue Jun  8 12:14:25 2010  ghudson - Status changed from new to review    
      Tue Jun  8 12:14:25 2010  ghudson - Tags pullup added    
      Tue Jun  8 12:14:25 2010  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech.  Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires.  In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.


http://src.mit.edu/fisheye/changelog/krb5/?cs=24120
Commit By: ghudson
Revision: 24120
Changed Files:
U   trunk/src/lib/gssapi/krb5/k5unsealiov.c


Download (untitled) 580b
      Tue Jun  8 12:26:24 2010  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech.  Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires.  In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.

(This is a continuation of r24120, which should have contained the
changes to all four files.)


http://src.mit.edu/fisheye/changelog/krb5/?cs=24121
Commit By: ghudson
Revision: 24121
Changed Files:
U   trunk/src/lib/gssapi/krb5/k5seal.c
U   trunk/src/lib/gssapi/krb5/k5sealiov.c
U   trunk/src/lib/gssapi/krb5/k5unseal.c


Download (untitled) 754b
      Thu Jun 10 13:11:41 2010  tlyu - Target_Version 1.8.2 changed to 1.8.3    
      Thu Jun 10 17:14:27 2010  tlyu - Status changed from review to resolved    
      Thu Jun 10 17:14:27 2010  tlyu - Version_Fixed 1.8.3 added    
      Thu Jun 10 17:14:27 2010  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


pull up r24120, r24121 from trunk

 ------------------------------------------------------------------------
 r24120 | ghudson | 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) | 12 lines

 ticket: 6739
 target_version: 1.8.2
 tags: pullup

 Stop checking the current time against the context expiration time in
 the message wrap/unwrap functions in the krb5 GSS mech.  Heimdal
 doesn't do it, and it generally results in poor app behavior when a
 ticket expires.  In exchange, it doesn't provide much security benefit
 since it's not enforced across the board--for example, ssh sessions
 can persist beyond ticket expiration time since they don't use GSS to
 wrap payload data.

http://src.mit.edu/fisheye/changelog/krb5/?cs=24130
Commit By: tlyu
Revision: 24130
Changed Files:
U   branches/krb5-1-8/src/lib/gssapi/krb5/k5seal.c
U   branches/krb5-1-8/src/lib/gssapi/krb5/k5sealiov.c
U   branches/krb5-1-8/src/lib/gssapi/krb5/k5unseal.c
U   branches/krb5-1-8/src/lib/gssapi/krb5/k5unsealiov.c


Download (untitled) 991b