Regarding Issues with Memory Credential Cache

Ezra Peisach epeisach at MIT.EDU
Fri Aug 22 12:50:16 EDT 2008

Datar, Ashutosh Anil wrote:
> Hi,
> I was testing Apache Web Server (which uses mod_auth_kerb) with 
> Kerberos Client 1.6.2 and found some issue with the Memory Cache handling.

Okay - I have examined the situation a little more. The problem is 
readlly with mod_auth_kerb.  In version 5.3 (released at the end of 
2006) - krb5_cc_resolve is used to create a temporary
memory cache in two places.

The second argument for the cache is "MEMORY:".  This indicates that we 
want a memory cache with name "".  The cache is initialized, used and 
destroyed - so I believe it was never intended to last.  So - another 
thread might be iterating through the same cache and another thread then 
nukes the contents of the cache with krb5_cc_initialize.

The fix is pretty easy - in mod_auth_kerb, there are two places 
krb5_cc_resolve is used with "MEMORY:" as the second argument.  Change 
the code to use krb5_cc_new_unique and that should solve your 
problem.... (the type should be "MEMORY" without the :)

I would make the change the mod_auth_kerb and if it works - send the fix 
to the author.

I will meanwhile devise a way to bullet proof the memory cache code - to 
at least ensure that initializing a cache while someone else is walking 
it - will not do anything illegal - but probably result in an emptied 
cache - which is not what mod_auth_kerb would be expecting...


More information about the krbdev mailing list