Is MIT kerberos thread safe ??

Ken Raeburn raeburn at MIT.EDU
Thu Mar 12 12:43:09 EDT 2009

On Mar 12, 2009, at 08:55, Nikhil Mishra wrote:
> As the subject says , Is MIT kerberos thread safe ?
> My device is a high performance network appliance and
> I need to analyze threadsafe-ness of MIT kerberos library.

The 1.6.x releases should be thread-safe provided certain objects are  
not shared across threads for simultaneous use, primarily the Kerberos  
and GSSAPI context types.  Various other objects, especially the  
simpler ones like krb5_data and krb5_principal, and most of the  
structures exposed in our API, can be shared as long as both uses are  
read-only.  Some more complex, opaque types like krb5_ccache, and most  
if not all internal static data, have internal locking performed  
within the libraries, so that they can be used from multiple threads  
without corruption.

Unfortunately, we don't have documentation written up on *exactly*  
what can be shared across threads and when, but "never share contexts,  
and share other stuff only as inputs not outputs" is a good guideline.

And, all the above said, there could of course be bugs; if you run  
into anything, we'd like to know.

Depending on the OS, there may also be a few bits where no thread-safe  
OS version of some functionality is available.  In particular, tty  
handling when prompting for passwords is not likely to be thread-safe  
-- but if your application is prompting for several passwords  
simultaneously, it's probably doing something else wrong.

> I have followed following links from past discussion
> forums :

[... stuff five years old ...]

The thread-safety patches were included in the 1.4 release series, not  
too long after those discussions.


More information about the krbdev mailing list