[30337] in Kerberos
Re: Sequence numbering after export and import of context
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Oct 6 00:42:37 2008
Date: Sun, 5 Oct 2008 23:18:36 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Michael B Allen <ioplex@gmail.com>
Message-ID: <20081006041836.GS1157@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
Cc: Markus Moeller <huaraz@moeller.plus.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Oct 06, 2008 at 12:01:16AM -0400, Michael B Allen wrote:
> Personally I think the whole export / import of security contexts is a
> little awkward. Instead of moving the context we just put all IO
> buffers in shared memory and have one process running the muxer loop
> (although the reason for doing this has nothing to do with GSSAPI).
In Solaris secure NFS can deal with mechanisms that don't support
security context import/export, but for mechanisms that don't the price
to pay is an upcall to user-land for every GSS per-message token.
The security context import/export feature definitely has its place.
In the case of the original poster, however, I agree that there is a
better solution. But that mostly follows from the OP's application
design being incompatible with security context import/export, and the
only solution is to change the application design. At least IIUC.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
