Does this separate thread connection need another as_req/rep pair?

Chris Hecker checker at
Thu May 7 05:54:54 EDT 2015

Okay, I have a client communicating with a server, and they've gone 
through the AS_REQ/AS_REP dance and that's all working fine.

Now, I want the server to send the client info about another connection 
it needs to make back to the server on another thread.  Does this 
connection need to do another AS_REQ/AS_REP exchange, or is there some 
cool way to take advantage of the original authentication on the first 

Basically, in my tests I've found the initial AS_REQ authentication is 
pretty slow, so I end up timeslicing it when I've got lots of 
connections to the first thread, and I'd rather not have to take the 
time to do that again on the second thread if I don't need to. 
Sometimes the server will tell the client to connect to a completely 
different machine, so obviously in that case I need the full authn 
exchange (I assume), but in the case where it's a connection back to the 
same process, it'd be nice if there was some way to skip this step.

I don't think I could use the same auth_context in the second thread 
(even with a mutex) because I don't know which order things will come 
in, and I'm using DO_SEQUENCE so I think the mk_priv/rd_priv pairs have 
to happen in order, which I can't guarantee with another thread.

Am I missing something, or do I have to bite the bullet and do the full 
AS_REQ/AS_REP thing on the second connection?

Let me know if that doesn't make sense.


More information about the Kerberos mailing list