Thread-safe libraries
Cesar Garcia
Cesar.Garcia at morganstanley.com
Wed Feb 25 14:51:22 EST 2004
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> It is also worth noting, that, while Heimdal is not thread safe (at least there
>> are no guarantees), it has proven to be much more thread-robust than MIT.
>> OpenLDAP page and a couple of users have expirienced problems with MIT and
>> threaded OpenLDAP server, while Heimdal performed flawlessly.
>>
>> It could be that Heimdal IS thread-safe, just nobody knows for sure. :-)
Ken> I believe that many of the problems of thread-safeness in MIT Kerberos
Ken> result from the lack of any file locking in the replay cache code.
Ken> Heimdal solves this part of thread-safeness by not having a replay
Ken> cache, at a cost to security. How much this affects security in
Ken> practice is debatable; I'm not aware of any current attacks against
Ken> Kerberos application servers via ticket replay, but it's certainly
Ken> possible.
wrt to gssapi and 1.3.1 ...
Since we're pointing out lack of replay cache detection, note that if
acquiring creds for GSS_C_NO_NAME, then no replay cache is used.
(specifically looking at 1.3.1 - lib/gssapi/krb5/acquire_cred.c)
Acquiring creds for GSS_C_NO_NAME is also a result of invoking
gss_accept_sec_context with a verifier cred of GSS_C_NO_CREDENTIAL.
(This is very convenient for certain apps).
Of course, in the case of MIT - the choice is yours (at least
implicitly).
More information about the Kerberos
mailing list