[AFS3-std] Re: rxgk token expiry
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 01 Nov 2012 16:12:26 -0400
On Thu, 2012-11-01 at 16:09 -0400, Jeffrey Hutzelman wrote:
> > > For example, the valid lifetime of an SSH connection is not determined
> > > by the lifetime of the Kerberos ticket when GSS authentication is used.
> > > The lifetime of the connection is determined by the policy enforced by
> > > the SSH service.
>
> Actually, to an extent, it is. The SSH protocol limits the lifetime of
> session keys to one hour or one gigabyte, whichever comes first (see
> RFC4253 section 9). Before these limits are reached, the session must
> be rekeyd, and rekeying with an expired GSS-API context will fail,
> causing the session to be terminated immediately.
>
> Of course, it is possible to use GSS-API for user authentication in SSH
> without using it for key exchange, in which case the context lifetime
> has no effect on
... the life of the SSH connection. However, in such cases, Russ's
point about the difference between a single connection and a derived
session still applies.
-- Jeff