Quanah Gibson-Mount via RT writes: > Thanks Simon for the follow-up. So it sounds like then, the error here > really is inside cyrus-sasl then? There is at least *some* error inside Cyrus SASL. The behavior that we're seeing (in a different context than the one Quanah originally raised) is that Cyrus SASL will go into a tight loop inside the library logging messages about expired contexts without ever returning to the application. That's clearly broken. I just haven't been able to find where the brokenness is yet (mostly because I haven't had a chance to look in depth). Whether there's also a separate error in Kerberos is a different question. It's looking to me like there's actually (arguable) incorrect behavior in Heimdal, in that once a Kerberos ticket expires, I think a strong argument can be made that the products of that ticket, such as the session key used to provide confidentiality, are no longer valid either. I don't know what that would mean for, say, a version of ssh that did integrity protection using GSSAPI, though. Having your login session go away because your original ticket expired might be technically correct but sounds rather bad. -- Russ Allbery (rra@stanford.edu)