GSSAPI contexts used in multiple threads

Nicolas Williams Nicolas.Williams at
Tue Mar 4 17:05:40 EST 2008

On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
> On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> > If the app protocol doesn't need replay protection, then the app
> > shouldn't ask for it.  Otherwise I don't think you can easily and
> > reliably decide at the GSS level when replay protection is or is not
> > required.
> With GSSAPI, I don't think we get to ask or not.  The MIT libraries  

Absolutely you do, although only at the initiator.

> provide it by default.  I'm just suggesting we could either change  

Well, that's a bug then.

> the default for certain special services, or allow the config file to  
> switch it off (or more generally, set the replay cache name) for  
> certain services at the administrator's whim (and perhaps show the  
> cache as disabled for certain services in sample config files), or  
> something.

No, just fix the bug.

> > I suspect it's not safe to change krb5.conf while apps are running,  
> > but
> > I'd love to have confirmation.  If that's the case then we may need an
> > enhancement to make it safe (but I'm not sure that will be simple
> > either).
> It should be safe.  Certainly it shouldn't be a thread safety issue,  
> or cause crashes in any other way.  But there are parts of the code  
> that parse and then cache information from the config file, and they  
> don't all refresh when the file has changed, so the config  
> information in use may then be a blend of old and new. :-(  And,  
> naturally, we have no documentation on which is which.

OK, thanks.

More information about the krbdev mailing list