Linking problem with Kerberos for Windows & mod_auth_kerb.
rra at stanford.edu
Tue Dec 7 12:03:53 EST 2010
Jeffrey Altman <jaltman at secure-endpoints.com> writes:
> There is no reason that I am aware of for an application to be calling
> those functions directly. In fact, reading the source to mod_auth_kerb
> 5.4 it looks like the author has gone far out of his way to disable the
> use of replay caches by substituting his own implementation for MIT's.
> The code references MIT 1.3.3. That was a long time ago. I'm not even
> sure that the hack that is in place would work in a world with dynamic
> libraries on Linux.
IIRC, when I looked at this, it was the only way to actually disable the
replay cache in MIT as recently as 1.4. I don't recall whether it was
fixed in 1.5 or 1.6.
It's only active when built against MIT because at the time that code was
written Heimdal didn't implement a replay cache by default.
Due to the way that mod_auth_kerb works and how authentications happen in
HTTP, the default historic replay cache makes mod_auth_kerb effectively
useless because of the number of replay collisions due to the browser
separately authenticating multiple open connections to assemble a typical
web page. It's possible that subsequent work on the replay cache to
enable such things as sub-second timestamps would have fixed that.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev