GSSAPI contexts used in multiple threads

Ken Raeburn raeburn at MIT.EDU
Tue Mar 4 16:48:43 EST 2008

On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> If the app protocol doesn't need replay protection, then the app
> shouldn't ask for it.  Otherwise I don't think you can easily and
> reliably decide at the GSS level when replay protection is or is not
> required.

With GSSAPI, I don't think we get to ask or not.  The MIT libraries  
provide it by default.  I'm just suggesting we could either change  
the default for certain special services, or allow the config file to  
switch it off (or more generally, set the replay cache name) for  
certain services at the administrator's whim (and perhaps show the  
cache as disabled for certain services in sample config files), or  

> I suspect it's not safe to change krb5.conf while apps are running,  
> but
> I'd love to have confirmation.  If that's the case then we may need an
> enhancement to make it safe (but I'm not sure that will be simple
> either).

It should be safe.  Certainly it shouldn't be a thread safety issue,  
or cause crashes in any other way.  But there are parts of the code  
that parse and then cache information from the config file, and they  
don't all refresh when the file has changed, so the config  
information in use may then be a blend of old and new. :-(  And,  
naturally, we have no documentation on which is which.


More information about the krbdev mailing list