On Thu, 2012-11-01 at 16:09 -0400, Jeffrey Hutzelman wrote: > > > For example, the valid lifetime of an SSH connection is not determined > > > by the lifetime of the Kerberos ticket when GSS authentication is used. > > > The lifetime of the connection is determined by the policy enforced by > > > the SSH service. > > Actually, to an extent, it is. The SSH protocol limits the lifetime of > session keys to one hour or one gigabyte, whichever comes first (see > RFC4253 section 9). Before these limits are reached, the session must > be rekeyd, and rekeying with an expired GSS-API context will fail, > causing the session to be terminated immediately. > > Of course, it is possible to use GSS-API for user authentication in SSH > without using it for key exchange, in which case the context lifetime > has no effect on
... the life of the SSH connection. However, in such cases, Russ's point about the difference between a single connection and a derived session still applies. -- Jeff _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
