Thread-safe libraries
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Feb 25 11:12:41 EST 2004
>It is also worth noting, that, while Heimdal is not thread safe (at least there
>are no guarantees), it has proven to be much more thread-robust than MIT.
>OpenLDAP page and a couple of users have expirienced problems with MIT and
>threaded OpenLDAP server, while Heimdal performed flawlessly.
>
>It could be that Heimdal IS thread-safe, just nobody knows for sure. :-)
I believe that many of the problems of thread-safeness in MIT Kerberos
result from the lack of any file locking in the replay cache code.
Heimdal solves this part of thread-safeness by not having a replay
cache, at a cost to security. How much this affects security in
practice is debatable; I'm not aware of any current attacks against
Kerberos application servers via ticket replay, but it's certainly
possible.
--Ken
More information about the Kerberos
mailing list