GSSAPI contexts used in multiple threads
Nicolas Williams
Nicolas.Williams at sun.com
Wed Mar 5 11:32:29 EST 2008
On Tue, Mar 04, 2008 at 07:55:45PM -0500, Ken Raeburn wrote:
> On Mar 4, 2008, at 17:05, Nicolas Williams wrote:
> >On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
> >>On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> >>>If the app protocol doesn't need replay protection, then the app
> >>>shouldn't ask for it. Otherwise I don't think you can easily and
> >>>reliably decide at the GSS level when replay protection is or is not
> >>>required.
> >>
> >>With GSSAPI, I don't think we get to ask or not. The MIT libraries
> >
> >Absolutely you do, although only at the initiator.
>
> Where? I see GSS_C_REPLAY_FLAG, but that's for detecting replayed
> wrapped messages after the authentication has succeeded, not
> detecting replayed authenticators.
Ah, sorry, I guess I misread what replays we were talking about.
Yes, for some apps authenticator replay is not an issue (e.g., NFS).
More information about the krbdev
mailing list