Proposed modifications to replay cache to prevent false positives

Will Fiveash William.Fiveash at
Thu May 22 13:45:44 EDT 2008

On Thu, May 22, 2008 at 03:03:09AM -0400, Roland Dowdeswell wrote:
> On 1211429804 seconds since the Beginning of the UNIX epoch
> Nicolas Williams wrote:
> >
> >I should add that I doubt that mixing of server krb5 implementations
> >sharing one principal happens much.
> >
> >Also, Heimdal has a different rcache format.  So, I suspect there's no
> >real need to be backwards compatible with rcache file formats, but then,
> >to be conservative we can just retain an option for compat.
> At work, I certainly share rcaches between different krb5
> implementations on, I think, at least over 20K machines.

This seems risky to me if I understand the above.  Note that the default
location for rcaches in Solaris is under /var/krb5/rcache which may
differ from other krb implementations.  If one is running services using
krb auth with differing krb implementations but using a common service
principal care should be taken to configure the various krb flavors to
use a common rcache (assuming they all support the same rcache format).
Otherwise a replay attack is possible if the services are using
different rcaches for the same service principal.

Will Fiveash
Sun Microsystems Inc.

More information about the krbdev mailing list