threading best practices?
Chris Hecker
checker at d6.com
Thu Jul 21 23:01:45 EDT 2011
Hi, my kerberos application is threaded, so all the lowlevel
communication between the clients and the servers is happening on
separate threads that queue messages to the main thread. I'm going to
integrate kerberos authentication to all this, and I'm trying to figure
out the best way to do this.
This link talks about some of the caveats, like not sharing contexts
across threads:
http://mailman.mit.edu/pipermail/krbdev/2009-March/007571.html
Since krb5 talks to the KDC on blocking sockets, what I'd like to do is
have all communication with the KDC on its own dedicated thread so it
never blocks my app (a video game). But, the link above says not to
share contexts between threads, so I'm not exactly sure how to
accomplish this. Should I have a context in the KDC thread, and then
store the tickets in the ccache, and then load them in the main thread
(knowing they won't hit the net because they're already loaded?).
Should I have a single context and then use a mutex to share it between
threads, so if the KDC thread is active, then the main thread can't
authn anything until it's done?
I need to do normal client<->server authn and also client<->client
authn, which I'm going to do with the user-to-user stuff, so I'll need
to talk to the KDC multiple times per session. It seems like the u2u
stuff is stored in the context, so I'm not sure how to make all this work.
I'd also like to guarantee nobody in krb5 will try to use a socket
without me specifically asking them to, so is there a list of APIs that
talk to the net? An example is some APIs have a flag that tells them to
fail with an error code instead of contact the KDC, which is what I
want. Can anybody think of APIs I need to watch out for here?
Once things are established with mutual authn & subkeys, the main thread
is just going to use mk_safe and mk_priv, basically.
Thanks,
Chris
More information about the Kerberos
mailing list