GSSAPI contexts used in multiple threads
Shawn M Emery
Shawn.Emery at Sun.COM
Wed Mar 5 00:24:25 EST 2008
Jeffrey Altman wrote:
> Ken Raeburn wrote:
>
>> Also, whether replay detection is helpful depends not just on the
>> nature of one protocol in use, but also on what other protocols
>> might be in use using the same service principal at a given site.
>> One particular IMAP client implementation can't tell whether my
>> server supports some other, poorly-protected protocol for which the
>> same imap/foo service principal is also used, and to which my
>> (sniffed) authenticator could be retransmitted.
>
> This assumes that all processes on the system use the same replay
> cache. Unless an application or krb5.conf explicitly specifies
> a replay cache I do not believe that all processes on the system
> will use the same rcache. Instead I believe cache files are allocated
> one per process.
Typically applications will partition the rcache by service (by passing
their principal component to krb5_get_server_rcache(). These
applications could involve multiple processes.
Shawn.
--
> At least this is certainly the case when the library is used on
> Windows.
More information about the krbdev
mailing list