Is MIT kerberos thread safe ??

Mark Phalan Mark.Phalan at Sun.COM
Thu Mar 12 17:13:40 EDT 2009

On 12 Mar 2009, at 17:43, Ken Raeburn wrote:

> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote:
>> As the subject says , Is MIT kerberos thread safe ?
>> My device is a high performance network appliance and
>> I need to analyze threadsafe-ness of MIT kerberos library.
> The 1.6.x releases should be thread-safe provided certain objects are
> not shared across threads for simultaneous use, primarily the Kerberos
> and GSSAPI context types.  Various other objects, especially the
> simpler ones like krb5_data and krb5_principal, and most of the
> structures exposed in our API, can be shared as long as both uses are
> read-only.  Some more complex, opaque types like krb5_ccache, and most
> if not all internal static data, have internal locking performed
> within the libraries, so that they can be used from multiple threads
> without corruption.
> Unfortunately, we don't have documentation written up on *exactly*
> what can be shared across threads and when, but "never share contexts,
> and share other stuff only as inputs not outputs" is a good guideline.
> And, all the above said, there could of course be bugs; if you run
> into anything, we'd like to know.

The PKINIT plugin is a problem if it is used in multiple threads due  
to its use of OpenSSL.


More information about the krbdev mailing list