context negotiation performance problem

Eric Mei ericm at clusterfs.com
Wed Nov 2 18:10:34 EST 2005


Ken Raeburn wrote:

> That's almost certainly the replay cache file, meant to prevent the  
> re-use of a transmitted authenticator by an attacker.  The fsync is  
> there to handle the problem of the machine crashing or losing power  
> after an authenticator has been accepted and a data exchange  
> performed, but the on-disk cache not yet updated.
>
> If your protocol or threat model is such that replay attacks are not  
> a problem, then under later versions of the code (I'd check whether  
> it's in the 1.4 series, but the machine where I keep my source trees  
> checked out ate its root file system over the weekend) you could set  
> the environment variable KRB5RCACHETYPE to "none" before starting the  
> program.  (Look for src/lib/krb5/rcache/rc_none.c to see if you've  
> got the support.)
>
> Is this a single-process server, or multiple processes?  Multiple  
> processes would probably deal better with the fsync calls.

Thanks a lot Ken. 1.4.2 indeed support KRB5RCACHETYPE=none. I enable it 
and rewrite the test as multi-processes. Now the server could handle at 
least 600/s now.

Thanks again!

Eric


More information about the Kerberos mailing list