[30576] in Kerberos
Re: non-KDC replay cache problems?
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Dec 23 01:09:54 2008
Date: Tue, 23 Dec 2008 00:00:15 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Tom Yu <tlyu@mit.edu>
Message-ID: <20081223060014.GH12468@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ldvfxkgnkpl.fsf@cathode-dark-space.mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote:
> Has anyone experienced problems due to false positive conditions on an
> application replay cache? [...]
Yes, this happens with Windows clients, where the Kerberos stack may
re-use a seconds and microseconds value, if multiple AP-REQs are
initiated in the same second, but with a different sub-session key.
> If it turns out that almost all of the problems are due to the KDC
> replay cache, we can consider turning off the KDC replay cache, as we
> believe that doing so poses negligible security consequences, and is
> substantially easier.
The KDC replay cache is not an issue, although the replay cache for
TGS-REQs needs to behave similarly to the AP-REQ replay cache.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
