[krbdev.mit.edu #1400] Disabling replay cache for krb5_rd_req

Sam Hartman via RT rt-comment at krbdev.mit.edu
Thu Mar 27 16:01:50 EST 2003


Return-Path: <krbdev-bounces at MIT.EDU>
Received: from solipsist-nation ([unix socket])
	by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Wed, 26 Mar
 2003 09:19:41 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <krbdev-bounces at MIT.EDU>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
 [18.7.21.83])
	by suchdamage.org (Postfix) with ESMTP id 4B91A1316B
	for <hartmans at suchdamage.org>; Wed, 26 Mar 2003 09:19:41 -0500 (EST)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
 h2QEJS4C016249;
	Wed, 26 Mar 2003 09:19:29 -0500 (EST)
Received: from pch.mit.edu (localhost [127.0.0.1])
	by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2QEHgFp012098;
	Wed, 26 Mar 2003 09:17:43 -0500 (EST)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2QEHeFm012094
	for <krbdev at PCH.mit.edu>; Wed, 26 Mar 2003 09:17:40 -0500 (EST)
Received: from konishi-polis.mit.edu (cs6625131-84.austin.rr.com
	[66.25.131.84])h2QEHd1u026288;	Wed, 26 Mar 2003 09:17:39 -0500 (EST)
Received: by konishi-polis.mit.edu (Postfix, from userid 8042)
	id 82412152124; Wed, 26 Mar 2003 09:17:01 -0500 (EST)
To: krbdev at mit.edu
Message-Id: <20030326141701.82412152124 at konishi-polis.mit.edu>
Date: Wed, 26 Mar 2003 09:17:01 -0500 (EST)
From: hartmans at MIT.EDU (Sam Hartman)
Cc: zacheiss at mit.edu
Subject: Disabling replay cache for krb5_rd_req
X-BeenThere: krbdev at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Help: <mailto:krbdev-request at mit.edu?subject=help>
List-Post: <mailto:krbdev at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
	<mailto:krbdev-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
	<mailto:krbdev-request at mit.edu?subject=unsubscribe>
Sender: krbdev-bounces at MIT.EDU
Errors-To: krbdev-bounces at MIT.EDU
X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20
X-Spam-Level: 
MIME-Version: 1.0


Hi.  Garry Zacheiss points out that it is unclear how to disable the
replay cache for krb5_rd_req.  It is clear that you want this
functionality for some services including things like zephyr.

In the 1.2.x code base, you can pass in a null server argument to
krb5_rd_req and this will not set up a replay cache.  This is
undesirable because it also allows any principal in the keytab to
match not just the desired principal.  These two behaviors should not
be controlled by the same option.

In the 1.3 code base we have added functionality to set up a replay
cache even if server is null as part of the support for
GSS_C_NO_CREDENTIAL in gss_accept_sec_context.

I propose that we add some functionality to disable replay cache for
krb5_rd_req in 1.3.  It seems there are two ways to do this.  The
first is to tie use of replay cache in krb5_rd_req to
KRB5_AUTH_CONTEXT_DO_TIME as we do with the use of the replay cache in
krb5_rd_priv and krb5_rd_safe.  The second is to add a new flag.

Unless people object I will tie the replay cache to DO_TIME.  The
DO_TIME flag is set by default, so code that does not call
krb5_auth_con_setflags willalways use a replay cache.

_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev



More information about the krb5-bugs mailing list