Regarding Issues with Memory Credential Cache
Ezra Peisach
epeisach at MIT.EDU
Fri Aug 22 12:50:16 EDT 2008
Datar, Ashutosh Anil wrote:
> Hi,
>
> I was testing Apache Web Server (which uses mod_auth_kerb) with
> Kerberos Client 1.6.2 and found some issue with the Memory Cache handling.
Okay - I have examined the situation a little more. The problem is
readlly with mod_auth_kerb. In version 5.3 (released at the end of
2006) - krb5_cc_resolve is used to create a temporary
memory cache in two places.
The second argument for the cache is "MEMORY:". This indicates that we
want a memory cache with name "". The cache is initialized, used and
destroyed - so I believe it was never intended to last. So - another
thread might be iterating through the same cache and another thread then
nukes the contents of the cache with krb5_cc_initialize.
The fix is pretty easy - in mod_auth_kerb, there are two places
krb5_cc_resolve is used with "MEMORY:" as the second argument. Change
the code to use krb5_cc_new_unique and that should solve your
problem.... (the type should be "MEMORY" without the :)
I would make the change the mod_auth_kerb and if it works - send the fix
to the author.
I will meanwhile devise a way to bullet proof the memory cache code - to
at least ensure that initializing a cache while someone else is walking
it - will not do anything illegal - but probably result in an emptied
cache - which is not what mod_auth_kerb would be expecting...
Ezra
More information about the krbdev
mailing list