GSSAPI contexts used in multiple threads

Ken Raeburn raeburn at MIT.EDU
Tue Mar 4 19:55:45 EST 2008

On Mar 4, 2008, at 17:05, Nicolas Williams wrote:
> On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
>> On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
>>> If the app protocol doesn't need replay protection, then the app
>>> shouldn't ask for it.  Otherwise I don't think you can easily and
>>> reliably decide at the GSS level when replay protection is or is not
>>> required.
>> With GSSAPI, I don't think we get to ask or not.  The MIT libraries
> Absolutely you do, although only at the initiator.

Where?  I see GSS_C_REPLAY_FLAG, but that's for detecting replayed  
wrapped messages after the authentication has succeeded, not  
detecting replayed authenticators.

Also, whether replay detection is helpful depends not just on the  
nature of one protocol in use, but also on what other protocols might  
be in use using the same service principal at a given site.  One  
particular IMAP client implementation can't tell whether my server  
supports some other, poorly-protected protocol for which the same  
imap/foo service principal is also used, and to which my (sniffed)  
authenticator could be retransmitted.

>> provide it by default.  I'm just suggesting we could either change
> Well, that's a bug then.

It should default to not providing the extra protection?


More information about the krbdev mailing list