Replaying and server side caching.

Darren Reed (OSE) darrenr at
Wed Apr 9 02:13:19 EDT 2003

Whilst testing the KDC with replaying TGT requests, it
became apparent that if the cache was enabled then a
replayed TGT request would be answered.  This seemed
dubious in terms of security, but is it deliberate ?

I was expecting that turning on the cache would enable
detection of replayed tickets, resulting in an error
message being sent back as opposed to a positive ack.
Unfortunately I've not been back to test it with the
cache disabled, rather, I patched the KDC to return
an error if it found a TGT request in its cache.

Have I misunderstood how the cache in the KDC is meant
to be used/work or is this an actual limitation with
the current implementation that's recognised and
put up with for various reasons?


More information about the krbdev mailing list