disabling kdc replay cache?
hSam Hartman
hartmans at MIT.EDU
Mon Feb 2 11:31:57 EST 2004
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> ** We had some network problems, which caused some ntp
Kevin> problems, which may have caused the replay cache to get
Kevin> bloated. Would deleting this file and restarting the KDC
Kevin> be good enough?
IF that works for you it is a heck of a lot simpler than rebuilding
your KDC.
Briefly if you need to disable the KDC replay cache for an operational
situation, then do so.
The major benefit of the replay cache seems to be protection against
some cryptographic attacks we hope Kerberos is not particularly
vulnerable to anyway. In theory it could provide a performance boost
if the KDC is getting a lot of retransmitted packets. We suspect that
the replay cache implementation is slow enough this is false in
practice.
More information about the krbdev
mailing list