GSSAPI contexts used in multiple threads

Nicolas Williams Nicolas.Williams at
Wed Mar 5 11:32:29 EST 2008

On Tue, Mar 04, 2008 at 07:55:45PM -0500, Ken Raeburn wrote:
> On Mar 4, 2008, at 17:05, Nicolas Williams wrote:
> >On Tue, Mar 04, 2008 at 04:48:43PM -0500, Ken Raeburn wrote:
> >>On Mar 4, 2008, at 16:34, Nicolas Williams wrote:
> >>>If the app protocol doesn't need replay protection, then the app
> >>>shouldn't ask for it.  Otherwise I don't think you can easily and
> >>>reliably decide at the GSS level when replay protection is or is not
> >>>required.
> >>
> >>With GSSAPI, I don't think we get to ask or not.  The MIT libraries
> >
> >Absolutely you do, although only at the initiator.
> Where?  I see GSS_C_REPLAY_FLAG, but that's for detecting replayed  
> wrapped messages after the authentication has succeeded, not  
> detecting replayed authenticators.

Ah, sorry, I guess I misread what replays we were talking about.

Yes, for some apps authenticator replay is not an issue (e.g., NFS).

More information about the krbdev mailing list