Linking problem with Kerberos for Windows & mod_auth_kerb.

Russ Allbery rra at
Tue Dec 7 12:03:53 EST 2010

Jeffrey Altman <jaltman at> writes:

> There is no reason that I am aware of for an application to be calling
> those functions directly.  In fact, reading the source to mod_auth_kerb
> 5.4 it looks like the author has gone far out of his way to disable the
> use of replay caches by substituting his own implementation for MIT's.
> The code references MIT 1.3.3.  That was a long time ago.  I'm not even
> sure that the hack that is in place would work in a world with dynamic
> libraries on Linux.

IIRC, when I looked at this, it was the only way to actually disable the
replay cache in MIT as recently as 1.4.  I don't recall whether it was
fixed in 1.5 or 1.6.

It's only active when built against MIT because at the time that code was
written Heimdal didn't implement a replay cache by default.

Due to the way that mod_auth_kerb works and how authentications happen in
HTTP, the default historic replay cache makes mod_auth_kerb effectively
useless because of the number of replay collisions due to the browser
separately authenticating multiple open connections to assemble a typical
web page.  It's possible that subsequent work on the replay cache to
enable such things as sub-second timestamps would have fixed that.

Russ Allbery (rra at             <>

More information about the krbdev mailing list