Sequence numbering after export and import of context

Nicolas Williams Nicolas.Williams at sun.com
Mon Oct 6 00:18:36 EDT 2008


On Mon, Oct 06, 2008 at 12:01:16AM -0400, Michael B Allen wrote:
> Personally I think the whole export / import of security contexts is a
> little awkward. Instead of moving the context we just put all IO
> buffers in shared memory and have one process running the muxer loop
> (although the reason for doing this has nothing to do with GSSAPI).

In Solaris secure NFS can deal with mechanisms that don't support
security context import/export, but for mechanisms that don't the price
to pay is an upcall to user-land for every GSS per-message token.

The security context import/export feature definitely has its place.

In the case of the original poster, however, I agree that there is a
better solution.  But that mostly follows from the OP's application
design being incompatible with security context import/export, and the
only solution is to change the application design.  At least IIUC.

Nico
-- 



More information about the Kerberos mailing list