krb5_gss_acquire_cred() vs multiple credential caches
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Feb 12 12:57:02 EST 2007
Alexandra Ellwood wrote:
> I'm talking about the output_cred_handle returned by
> krb5_gss_acquire_cred(). I will continue to assert that the
> krb5_context should not be relevant in this case because the ccache
> should be passed around in the output_cred_handle. If the code falls
> back to looking at the krb5_context then something has already gone
> wrong.
That will be true for a single output cred. However, if the mech glue
is calling krb5_gss_acquire_cred() multiple times, then there will be
multiple output creds. For each output cred there will be a ccache set.
>
> Also note that I'm not disputing the existence of the bug. I believe
> I've seen it at least once before but didn't have time to track it
> down and then couldn't reproduce it later.
When calling GSS from SSH I'm seeing multiple calls to
acquire_init_cred(). Let me see if I can narrow down where they are
all coming from.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070212/2fd75b7f/attachment.bin
More information about the krbdev
mailing list