GSSAPI contexts used in multiple threads
Ken Raeburn
raeburn at MIT.EDU
Tue Mar 4 16:48:43 EST 2008
On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> If the app protocol doesn't need replay protection, then the app
> shouldn't ask for it. Otherwise I don't think you can easily and
> reliably decide at the GSS level when replay protection is or is not
> required.
With GSSAPI, I don't think we get to ask or not. The MIT libraries
provide it by default. I'm just suggesting we could either change
the default for certain special services, or allow the config file to
switch it off (or more generally, set the replay cache name) for
certain services at the administrator's whim (and perhaps show the
cache as disabled for certain services in sample config files), or
something.
> I suspect it's not safe to change krb5.conf while apps are running,
> but
> I'd love to have confirmation. If that's the case then we may need an
> enhancement to make it safe (but I'm not sure that will be simple
> either).
It should be safe. Certainly it shouldn't be a thread safety issue,
or cause crashes in any other way. But there are parts of the code
that parse and then cache information from the config file, and they
don't all refresh when the file has changed, so the config
information in use may then be a blend of old and new. :-( And,
naturally, we have no documentation on which is which.
Ken
More information about the krbdev
mailing list