appl/simple/client/sim_client.c uses internal APIs
Sam Hartman
hartmans at debian.org
Fri Feb 24 14:49:33 EST 2023
>>>>> "Florian" == Florian Weimer <fweimer at redhat.com> writes:
Florian> The Perl translation is here:
Florian> <https://metacpan.org/release/IOANR/Authen-Krb5-1.905/source/eg/simple_client>
Florian> It's not an exact tranlation of the C because it creates a
Florian> replay cache:
Yeah, but it doesn't look like it *does* anything with the replay cache.
It looks like rdata_out mis passed as NULL in the call to krb5_mk_priv
from Krb5.xs's mk_priv all the time.
I don't think that a replay cache will ever be used on the client by
that code.
So I think you can simply remove the calls to the APIs that are
internal; they may create an empty replay cache file, but I do not think
that they add anything to the security of the code.
On the server side, you do need a replay cache, and if you call rd_priv
on the client without sequence number support you need a replay cache.
But I'm fairly sure rd_req will do that for you generally.
More information about the Kerberos
mailing list