Quanah Gibson-Mount <quanah(a)zimbra.com> writes:
The other major difference between MIT and Heimdal is the behavior
a ticket expires. With MIT, any existing connections will stop
working. With Heimdal, existing connections will continue to work, just
new connections will fail until the ticket is renewed. I strongly
prefer the Heimdal behavior if using something like SASL/GSSAPI for
doing replication with persistent connections.
True. The problem is that the Heimdal behavior is arguably wrong from a
security standpoint. Once the ticket has expired, all products of that
ticket should be treated as expired; otherwise, someone who's Kerberos
principal has been revoked can continue to access services past the
expiration of their ticket, which violates the Kerberos security model.
The right thing to do would be to rekey the persistant connection with a
new ticket, but I don't know if the underlying protocols support that.
Russ Allbery (rra(a)stanford.edu) <http://www.eyrie.org/~eagle/>