Thread-safe libraries

Cesar Garcia Cesar.Garcia at morganstanley.com
Wed Feb 25 15:49:43 EST 2004


According to strace ...

1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.

wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.

accept_sec_context clearly sets auth_context with
KRB5_AUTH_CONTEXT_DO_SEQUENCE.

What am I missing?

>>>>> "Sam" == Sam Hartman <hartmans at MIT.EDU> writes:

>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia at morganstanley.com> writes:
Cesar> wrt to gssapi and 1.3.1 ...

Cesar> Since we're pointing out lack of replay cache detection,
Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar> replay cache is used.  (specifically looking at 1.3.1 -
Cesar> lib/gssapi/krb5/acquire_cred.c)

Sam> I think that's false.  I believe that krb5_rd_req will end up setting
Sam> up a rcache later.

Sam> I don't have time to go look through the code now though, but I wrote
Sam> it and at least intended that a replay cache would get used even
Sam> though it does not get stored in the GSSAPI credentials structure.




More information about the Kerberos mailing list