[2887] in Kerberos
Replay caches
daemon@ATHENA.MIT.EDU (riipsdev!siips39.siips!ajlill@ncrw)
Fri Nov 5 17:20:24 1993
From: riipsdev!siips39.siips!ajlill@ncrwat.waterloo.NCR.COM
To: kerberos@MIT.EDU
Reply-To: Tony.Lill@Waterloo.NCR.COM
Date: Fri, 05 Nov 93 15:32:24 -0500
I just had a spot of bother using sendauth/recvauth and replay caches.
I'm using Kerberos V, Beta 2, and I have a kerberized program that
spawns a bunch of processes that all try to connect to this one
service. What happens is that sometimes two off these processes run
sendauth close enough together that the server claims that one of the
requests is a reply.
Looking at the replay cache, it only checks the server, client, ctime
and cusec. This means that with the current code, two requests have to
be somehow spaced by at least the value of a clock tick to avoid this.
I don't think that this is entirely reasonable.
A better solution might be to include some other bit on info in the
data used in the replay cache. Perhaps the sequence number. That way
in systems like mine this can be avoided.
For the present, I've just put in a sleep and retry to get around
this.
--
Tony Lill, Tony.Lill@Waterloo.NCR.COM
President, A. J. Lill Consultants (519) 241 2461
539 Grand Valley Dr., Cambridge, Ont. fax (519) 650 3571
presently at E&M Waterloo, NCR Canada Ltd. (519) 884 1710 x624
voice plus 643 1624
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
