disabling kdc replay cache?

[Kevin Coffman]

Thanks Sam.

For the record, we moved the replay cache file aside and restarted the 
KDC and things appear to be back to normal.

K.C.


> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
> 
>     Kevin> ** We had some network problems, which caused some ntp
>     Kevin> problems, which may have caused the replay cache to get
>     Kevin> bloated.  Would deleting this file and restarting the KDC
>     Kevin> be good enough?
> 
> IF that works for you it is a heck of a lot simpler than rebuilding
> your KDC.
> 
> Briefly if you need to disable the KDC replay cache for an operational
> situation, then do so.
> 
> The major benefit of the replay cache seems to be protection against
> some cryptographic attacks we hope Kerberos is not particularly
> vulnerable to anyway.  In theory it could provide a performance boost
> if the KDC is getting a lot of retransmitted packets.  We suspect that
> the replay cache implementation is slow enough this is false in
> practice.