GSSAPI contexts used in multiple threads
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Mar 5 00:01:59 EST 2008
Ken Raeburn wrote:
> Also, whether replay detection is helpful depends not just on the
> nature of one protocol in use, but also on what other protocols might
> be in use using the same service principal at a given site. One
> particular IMAP client implementation can't tell whether my server
> supports some other, poorly-protected protocol for which the same
> imap/foo service principal is also used, and to which my (sniffed)
> authenticator could be retransmitted.
This assumes that all processes on the system use the same replay
cache. Unless an application or krb5.conf explicitly specifies
a replay cache I do not believe that all processes on the system
will use the same rcache. Instead I believe cache files are allocated
one per process.
At least this is certainly the case when the library is used on
Windows.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080305/4befea83/attachment.bin
More information about the krbdev
mailing list