review of Projects/replay_cache_collision_avoidance, ending Jan. 12
Nicolas Williams
Nicolas.Williams at sun.com
Tue Dec 30 15:41:13 EST 2008
On Sun, Dec 28, 2008 at 05:04:25PM -0500, Tom Yu wrote:
> http://k5wiki.kerberos.org/wiki/Projects/replay_cache_collision_avoidance
- This needs to be updated since we seem to agree that the
authenticator cleartext should not be used.
- In "Is this a long term fix for the problem?" the wiki says that
"[the need to reject AP-REQs during the replay cache recovery time]
implies that at the very least a change in file format would result
in an outage."
That's not really true. You could populate the new format file with
records from the old one, provided you had an option for hash-less
entries in the new format...
Nico
--
More information about the krbdev
mailing list