Is MIT kerberos thread safe ??

Nikhil Mishra nikhilm at
Fri Mar 13 02:19:05 EDT 2009

Hello Ken ,

Thanks for the info above.

As far as I understand , Context object has some profile related objects
which is essentially a global static variable and this might give me some
trouble .

The thing that I am trying to do here is , My box gets N users per second
and I would like to authenticate all of them ( so , basically fetch the TGT)
through kerberos. I was trying to run all of them through a thread based
solution .

If thats the case I can may be create a context once and share it across
the threads for fetching the credentials ?



Ken Raeburn wrote:
> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote:
>> As the subject says , Is MIT kerberos thread safe ?
>> My device is a high performance network appliance and
>> I need to analyze threadsafe-ness of MIT kerberos library.
> The 1.6.x releases should be thread-safe provided certain objects are
> not shared across threads for simultaneous use, primarily the Kerberos
> and GSSAPI context types.  Various other objects, especially the
> simpler ones like krb5_data and krb5_principal, and most of the
> structures exposed in our API, can be shared as long as both uses are
> read-only.  Some more complex, opaque types like krb5_ccache, and most
> if not all internal static data, have internal locking performed
> within the libraries, so that they can be used from multiple threads
> without corruption.
> Unfortunately, we don't have documentation written up on *exactly*
> what can be shared across threads and when, but "never share contexts,
> and share other stuff only as inputs not outputs" is a good guideline.
> And, all the above said, there could of course be bugs; if you run
> into anything, we'd like to know.
> Depending on the OS, there may also be a few bits where no thread-safe
> OS version of some functionality is available.  In particular, tty
> handling when prompting for passwords is not likely to be thread-safe
> -- but if your application is prompting for several passwords
> simultaneously, it's probably doing something else wrong.
>> I have followed following links from past discussion
>> forums :
> [... stuff five years old ...]
> The thread-safety patches were included in the 1.4 release series, not
> too long after those discussions.
> Ken

More information about the krbdev mailing list