Ticket File Cached in Memory?
ghudson at MIT.EDU
Thu Aug 27 08:42:29 EDT 2009
On Thu, 2009-08-27 at 04:51 -0400, FROHNER Akos wrote:
> According to our experience the bottleneck is rather in
> the replay cache.
Not all protocols require a replay cache. You can turn ours off by
setting KRB5RCACHETYPE=none in the environment.
One way to protect the server from replays is to design the protocol so
that the server sends a nonce to the client and requires the client to
play it back (with stream protection, of course).
In an ideal world, even that much should be unnecessary if you are doing
mutual authentication and stream protection, and not protecting any
application data with the authenticator checksum. This is because
ideally, the server would pick a fresh subkey each time the client
authenticates. Unfortunately, the server's use of subkeys is kind of
spotty at this time (for instance, for GSSAPI, it won't do so if the
client appears too old) and I believe was nonexistent prior to krb5 1.7.
We're aware that our replay cache implementation is often a bottleneck,
and I should have probably thought to mention it earlier.
More information about the krbdev