GSSAPI contexts used in multiple threads

Shawn M Emery Shawn.Emery at Sun.COM
Wed Mar 5 00:24:25 EST 2008

Jeffrey Altman wrote:
> Ken Raeburn wrote:
>> Also, whether replay detection is helpful depends not just on the  
>> nature of one protocol in use, but also on what other protocols 
>> might  be in use using the same service principal at a given site.  
>> One  particular IMAP client implementation can't tell whether my 
>> server  supports some other, poorly-protected protocol for which the 
>> same  imap/foo service principal is also used, and to which my 
>> (sniffed)  authenticator could be retransmitted.
> This assumes that all processes on the system use the same replay
> cache.  Unless an application or krb5.conf explicitly specifies
> a replay cache I do not believe that all processes on the system
> will use the same rcache.  Instead I believe cache files are allocated
> one per process.

Typically applications will partition the rcache by service (by passing 
their principal component to krb5_get_server_rcache().  These 
applications could involve multiple processes.

> At least this is certainly the case when the library is used on
> Windows.

More information about the krbdev mailing list