Received: from smtp2.stanford.edu (smtp2.Stanford.EDU [171.67.20.25]) by krbdev.mit.edu (8.9.3p2) with ESMTP id MAA18186; Fri, 8 Sep 2006 12:08:56 -0400 (EDT) Received: from smtp2.stanford.edu (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 9B32B4C0B7 for ; Fri, 8 Sep 2006 09:08:55 -0700 (PDT) Received: from SW-90-717-287-3.stanford.edu (SW-90-717-287-3.Stanford.EDU [171.66.155.86]) by smtp2.stanford.edu (Postfix) with ESMTP id 79F644BF04 for ; Fri, 8 Sep 2006 09:08:55 -0700 (PDT) Date: Fri, 08 Sep 2006 09:08:54 -0700 From: Quanah Gibson-Mount To: rt-comment@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed Message-Id: <5BB77338FD48BF80BA03487F@SW-90-717-287-3.stanford.edu> In-Reply-To: References: X-Mailer: Mulberry/4.0.5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1474 --On Friday, September 08, 2006 5:33 AM -0400 Simon Wilkinson via RT wrote: > As the person quoted right at the beginning, I should probably > contribute my findings here. > > I don't believe that ticket refresh is an issue. I can quite happily > refresh, destroy, or replace my Kerberos credentials from under a > running GSSAPI context, without causing that context to break. > > The issue (if there is an issue) is that Heimdal and MIT's behaviour > differ when the initiator's credentials do actually expire. Heimdal > allows the context to continue to be used for wrapping operations > past expiry - MIT expires the context, and calls to wrap() or unwrap > () fail. This difference in behaviour is an issue when using SASL > applications with security layers, as the only way to renew the > context is to reconnect to the server. In addition, many applications > have inadequate error handling around their security layer > implementations. > > I suspect that the current MIT behaviour is correct. Whilst there's > no explicit language in RFC2743, it suggests that the length of time > for which the context will be valid depends on credential lifetime. Thanks Simon for the follow-up. So it sounds like then, the error here really is inside cyrus-sasl then? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html