GSSAPI contexts used in multiple threads
Ken Raeburn
raeburn at MIT.EDU
Tue Mar 4 19:55:45 EST 2008
On Mar 4, 2008, at 17:05, Nicolas Williams wrote:
> On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
>> On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
>>> If the app protocol doesn't need replay protection, then the app
>>> shouldn't ask for it. Otherwise I don't think you can easily and
>>> reliably decide at the GSS level when replay protection is or is not
>>> required.
>>
>> With GSSAPI, I don't think we get to ask or not. The MIT libraries
>
> Absolutely you do, although only at the initiator.
Where? I see GSS_C_REPLAY_FLAG, but that's for detecting replayed
wrapped messages after the authentication has succeeded, not
detecting replayed authenticators.
Also, whether replay detection is helpful depends not just on the
nature of one protocol in use, but also on what other protocols might
be in use using the same service principal at a given site. One
particular IMAP client implementation can't tell whether my server
supports some other, poorly-protected protocol for which the same
imap/foo service principal is also used, and to which my (sniffed)
authenticator could be retransmitted.
>> provide it by default. I'm just suggesting we could either change
>
> Well, that's a bug then.
It should default to not providing the extra protection?
Ken
More information about the krbdev
mailing list