Problem disabling replay cache
jakub.czuchnowski at gmail.com
Thu Oct 17 06:42:41 EDT 2019
I'm setting up a service (web application) that is using Kerberos to
authenticate users. I want to disable the replay cache for it but for some
reason I can't.
The web app is served from the Nginx server built with
https://github.com/stnoonan/spnego-http-auth-nginx-module ) for handling
Kerberos authentication. To be precise, I'm building a docker image with
- Debian 10.1
- Nginx 1.17.4
- libkrb5-dev 1.17-3
Because of libkrb5-dev, I assume I'm using MIT Kerberos. According to the
documentation it should suffice to set the environment
variable KRB5RCACHETYPE=none, but it doesn't work. printenv shows that it
is set, but the replay cache file is still created as /var/tmp/http_33.
Thhe first request is fine, but the logs show that subsequent requests with
the same ticket are causing gss_accept_sec_context() to fail with "Request
is a replay".
Now, I'm not sure if the problem is in MIT Kerberos, the Nginx module, or
my lack of understanding, so I'm looking for any clues and clarifications.
More information about the Kerberos