Disabling replay cache for krb5_rd_req

Sam Hartman hartmans at MIT.EDU
Wed Mar 26 09:17:01 EST 2003

Hi.  Garry Zacheiss points out that it is unclear how to disable the
replay cache for krb5_rd_req.  It is clear that you want this
functionality for some services including things like zephyr.

In the 1.2.x code base, you can pass in a null server argument to
krb5_rd_req and this will not set up a replay cache.  This is
undesirable because it also allows any principal in the keytab to
match not just the desired principal.  These two behaviors should not
be controlled by the same option.

In the 1.3 code base we have added functionality to set up a replay
cache even if server is null as part of the support for
GSS_C_NO_CREDENTIAL in gss_accept_sec_context.

I propose that we add some functionality to disable replay cache for
krb5_rd_req in 1.3.  It seems there are two ways to do this.  The
first is to tie use of replay cache in krb5_rd_req to
KRB5_AUTH_CONTEXT_DO_TIME as we do with the use of the replay cache in
krb5_rd_priv and krb5_rd_safe.  The second is to add a new flag.

Unless people object I will tie the replay cache to DO_TIME.  The
DO_TIME flag is set by default, so code that does not call
krb5_auth_con_setflags willalways use a replay cache.

More information about the krbdev mailing list