Thread safety of MIT Kerberos w/GSSAPI
Ken Raeburn
raeburn at MIT.EDU
Wed Feb 20 14:34:24 EST 2008
On Feb 20, 2008, at 13:57, Russ Allbery wrote:
> An interesting question came up on one of the OpenLDAP lists.
It was brought up on one of the Kerberos lists not too long ago, too.
> Provided that a GSSAPI authentication is done entirely within a single
> thread, is it safe to do subsequent reads and writes to that
> connection
> through the GSSAPI layer in different threads? Or does that
> violate the
> underlying requirements of the MIT Kerberos libraries? (It apparently
> works fine in practice with Heimdal.)
We currently assume that a security context is used in only one
thread at a time, so you could switch between threads, just not use
it simultaneously in multiple threads. But the person looking into
it earlier concluded that there may not be anything besides the
sequence number that's actually subject to race conditions there (and
that window's probably small enough that it might "work fine in
practice" much of the time, but no promises), so we could look into
extending the concurrency for this case, and just do some internal
locking around the sequence number accesses.
--
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium
More information about the Kerberos
mailing list