Thread-safe libraries
Cesar Garcia
Cesar.Garcia at morganstanley.com
Wed Feb 25 15:49:43 EST 2004
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.
accept_sec_context clearly sets auth_context with
KRB5_AUTH_CONTEXT_DO_SEQUENCE.
What am I missing?
>>>>> "Sam" == Sam Hartman <hartmans at MIT.EDU> writes:
>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia at morganstanley.com> writes:
Cesar> wrt to gssapi and 1.3.1 ...
Cesar> Since we're pointing out lack of replay cache detection,
Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar> replay cache is used. (specifically looking at 1.3.1 -
Cesar> lib/gssapi/krb5/acquire_cred.c)
Sam> I think that's false. I believe that krb5_rd_req will end up setting
Sam> up a rcache later.
Sam> I don't have time to go look through the code now though, but I wrote
Sam> it and at least intended that a replay cache would get used even
Sam> though it does not get stored in the GSSAPI credentials structure.
More information about the Kerberos
mailing list