Received: from smtp3.stanford.edu ([171.67.20.26]) by krbdev.mit.edu (8.9.3p2) with ESMTP id WAA18562; Fri, 8 Sep 2006 22:42:48 -0400 (EDT) Received: from smtp3.stanford.edu (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4E5C74C61B for ; Fri, 8 Sep 2006 14:01:28 -0700 (PDT) Received: from windlord.stanford.edu (windlord.Stanford.EDU [171.64.19.147]) by smtp3.stanford.edu (Postfix) with ESMTP id 169874C64B for ; Fri, 8 Sep 2006 14:01:28 -0700 (PDT) Received: by windlord.stanford.edu (Postfix, from userid 1000) id 11796E78C8; Fri, 8 Sep 2006 14:01:28 -0700 (PDT) From: Russ Allbery To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed In-Reply-To: (Quanah Gibson-Mount via's message of "Fri, 8 Sep 2006 12:08:59 -0400 (EDT)") Organization: The Eyrie References: Date: Fri, 08 Sep 2006 14:01:28 -0700 Message-Id: <87odtqcbtj.fsf@windlord.stanford.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) XEmacs/21.4.19 (linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1284 Quanah Gibson-Mount via RT writes: > Thanks Simon for the follow-up. So it sounds like then, the error here > really is inside cyrus-sasl then? There is at least *some* error inside Cyrus SASL. The behavior that we're seeing (in a different context than the one Quanah originally raised) is that Cyrus SASL will go into a tight loop inside the library logging messages about expired contexts without ever returning to the application. That's clearly broken. I just haven't been able to find where the brokenness is yet (mostly because I haven't had a chance to look in depth). Whether there's also a separate error in Kerberos is a different question. It's looking to me like there's actually (arguable) incorrect behavior in Heimdal, in that once a Kerberos ticket expires, I think a strong argument can be made that the products of that ticket, such as the session key used to provide confidentiality, are no longer valid either. I don't know what that would mean for, say, a version of ssh that did integrity protection using GSSAPI, though. Having your login session go away because your original ticket expired might be technically correct but sounds rather bad. -- Russ Allbery (rra@stanford.edu)