disabling kdc replay cache?

Kevin Coffman kwc at citi.umich.edu
Tue Feb 3 09:37:14 EST 2004

Thanks Sam.

For the record, we moved the replay cache file aside and restarted the 
KDC and things appear to be back to normal.


> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>     Kevin> ** We had some network problems, which caused some ntp
>     Kevin> problems, which may have caused the replay cache to get
>     Kevin> bloated.  Would deleting this file and restarting the KDC
>     Kevin> be good enough?
> IF that works for you it is a heck of a lot simpler than rebuilding
> your KDC.
> Briefly if you need to disable the KDC replay cache for an operational
> situation, then do so.
> The major benefit of the replay cache seems to be protection against
> some cryptographic attacks we hope Kerberos is not particularly
> vulnerable to anyway.  In theory it could provide a performance boost
> if the KDC is getting a lot of retransmitted packets.  We suspect that
> the replay cache implementation is slow enough this is false in
> practice.

More information about the krbdev mailing list