Regarding Issues with Memory Credential Cache

Datar, Ashutosh Anil ashutosh.datar at hp.com
Fri Aug 29 08:58:31 EDT 2008 

Hi,

Thanks very much for your analysis and feedback on the issue.
I will also try to test with the suggested changes in mod_auth_kerb code and see how it works.

About the other point of changing memory cache code of Kerberos client,
I have already tried protecting the memory cache list traversal which will prevent initialization of cache doing something illegal while someone else is still accessing it. It worked well with mod_auth_kerb under high load and I didn't see any SIGSEGVs after that.

Thanks again for the feedback.

Regards,
Ashutosh

-----Original Message-----
From: Ezra Peisach [mailto:epeisach at MIT.EDU]
Sent: Friday, August 22, 2008 10:20 PM
To: Datar, Ashutosh Anil
Cc: krbdev at mit.edu
Subject: Re: Regarding Issues with Memory Credential Cache

Datar, Ashutosh Anil wrote:
> Hi,
>
> I was testing Apache Web Server (which uses mod_auth_kerb) with
> Kerberos Client 1.6.2 and found some issue with the Memory Cache handling.

Okay - I have examined the situation a little more. The problem is
readlly with mod_auth_kerb.  In version 5.3 (released at the end of
2006) - krb5_cc_resolve is used to create a temporary
memory cache in two places.

The second argument for the cache is "MEMORY:".  This indicates that we
want a memory cache with name "".  The cache is initialized, used and
destroyed - so I believe it was never intended to last.  So - another
thread might be iterating through the same cache and another thread then
nukes the contents of the cache with krb5_cc_initialize.

The fix is pretty easy - in mod_auth_kerb, there are two places
krb5_cc_resolve is used with "MEMORY:" as the second argument.  Change
the code to use krb5_cc_new_unique and that should solve your
problem.... (the type should be "MEMORY" without the :)

I would make the change the mod_auth_kerb and if it works - send the fix
to the author.

I will meanwhile devise a way to bullet proof the memory cache code - to
at least ensure that initializing a cache while someone else is walking
it - will not do anything illegal - but probably result in an emptied
cache - which is not what mod_auth_kerb would be expecting...

Ezra

More information about the krbdev mailing list