Thread safety of MIT Kerberos w/GSSAPI

Ken Raeburn raeburn at MIT.EDU
Wed Feb 20 14:34:24 EST 2008


On Feb 20, 2008, at 13:57, Russ Allbery wrote:
> An interesting question came up on one of the OpenLDAP lists.

It was brought up on one of the Kerberos lists not too long ago, too.

> Provided that a GSSAPI authentication is done entirely within a single
> thread, is it safe to do subsequent reads and writes to that  
> connection
> through the GSSAPI layer in different threads?  Or does that  
> violate the
> underlying requirements of the MIT Kerberos libraries?  (It apparently
> works fine in practice with Heimdal.)

We currently assume that a security context is used in only one  
thread at a time, so you could switch between threads, just not use  
it simultaneously in multiple threads.  But the person looking into  
it earlier concluded that there may not be anything besides the  
sequence number that's actually subject to race conditions there (and  
that window's probably small enough that it might "work fine in  
practice" much of the time, but no promises), so we could look into  
extending the concurrency for this case, and just do some internal  
locking around the sequence number accesses.

-- 
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium




More information about the Kerberos mailing list