GSSAPI contexts used in multiple threads
Nicolas.Williams at sun.com
Tue Mar 4 17:05:40 EST 2008
On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
> On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> > If the app protocol doesn't need replay protection, then the app
> > shouldn't ask for it. Otherwise I don't think you can easily and
> > reliably decide at the GSS level when replay protection is or is not
> > required.
> With GSSAPI, I don't think we get to ask or not. The MIT libraries
Absolutely you do, although only at the initiator.
> provide it by default. I'm just suggesting we could either change
Well, that's a bug then.
> the default for certain special services, or allow the config file to
> switch it off (or more generally, set the replay cache name) for
> certain services at the administrator's whim (and perhaps show the
> cache as disabled for certain services in sample config files), or
No, just fix the bug.
> > I suspect it's not safe to change krb5.conf while apps are running,
> > but
> > I'd love to have confirmation. If that's the case then we may need an
> > enhancement to make it safe (but I'm not sure that will be simple
> > either).
> It should be safe. Certainly it shouldn't be a thread safety issue,
> or cause crashes in any other way. But there are parts of the code
> that parse and then cache information from the config file, and they
> don't all refresh when the file has changed, so the config
> information in use may then be a blend of old and new. :-( And,
> naturally, we have no documentation on which is which.
More information about the krbdev