GSSAPI Murder authentication and "The context has expired" on long proxyd sessions

Nik Conwell nik at bu.edu
Wed Sep 12 09:54:46 EDT 2007 

On Sep 11, 2007, at 3:00 PM, Paul M Fleming wrote:

> I had the same problems. if you google for this you'll find a  
> discussion regarding how SASL context expires should be handled.  
> Heimdal allows expired contexts to be used after expiration. MIT  
> does not.

Thanks.  I had seen your posting http://cyrusimap.web.cmu.edu/archive/ 
message.php?mailbox=archive.info-cyrus&msg=38716 but saw no responses  
so I wanted to bring it up again.

I just did some more googling on sasl gssapi context expire and that  
turned up some more good stuff.  Thanks.

> 2&3) My opinion is this behavior is broken in SASL unfortunately  
> I'm not sure if it can be "fixed" without major changes to the SASL  
> library. I know the openldap list discussed work arounds to deal  
> with an expired context. Lowering the client timeout levels in imap  
> can also help but you still get deadlocks between front and back  
> ends which users notice a a client connection lock up. I did not  
> attempt to change the code for SASL or IMAP, but handling a  
> "context expired" event as a fatal error makes sense when running  
> MIT kerberos. My guess is CMU doesn't have this issue because they  
> use Heimdal.
>
> My solution was to change the keys involved in murder to have a  
> 25hour max life and change the KDC to allow 25h tickets. Then  
> instead of a period event in cyrus.conf use an at event to renew  
> the ticket at 2:00AM when users are less likely to notice. The  
> Cyrus timeouts kick in before start of business and most clients  
> (Netscape, Thunderbird,etc) reconnect  automatically and the user  
> doesn't notice a thing, but you still have to deal with the log  
> messages. This solution solved the deadlock issues for my clients.

Interesting about the cyrus timeouts.  The clients I'm seeing this  
problem with (pine and Outlook) are typically checking for mail every  
couple of minutes and so the session never times out.

Just curious - why didn't you decide to go with some other auth  
scheme instead?  (Having passwords embedded in config files doesn't  
appeal to me though.)

For the list in general - what are you all using for the Murder  
authentication?  Heimdal?  Certs?  Passwords in configs?

-nik

More information about the Info-cyrus mailing list