GSSAPI contexts used in multiple threads
Ken Raeburn
raeburn at MIT.EDU
Wed Mar 5 01:41:00 EST 2008
On Mar 5, 2008, at 00:01, Jeffrey Altman wrote:
> This assumes that all processes on the system use the same replay
> cache. Unless an application or krb5.conf explicitly specifies
> a replay cache I do not believe that all processes on the system
> will use the same rcache. Instead I believe cache files are allocated
> one per process.
I think we're doing one file for each combination of uid and service
name, if you go through krb5_get_server_rcache. It probably
shouldn't be per uid, but there are obviously some access control
issues to work out there. On the other hand, I suspect practically
all services sharing service principal names on a machine are run
under the same uid, at least in the UNIX world, so it's probably not
too big a problem. If multiple service principal names can use the
same key, though, we get a new problem, in that services using any of
those principal names need to be in treated together as a set for
replay prevention or detection.
Per-process replay caches wouldn't be of much use for services that
run one process per client. If we actually do it that way anywhere,
it's a bug...
Ken
More information about the krbdev
mailing list