[1439] in Kerberos-V5-bugs
[Ed Phillips: Re: krb5_recvauth()]
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Jun 1 13:02:17 1995
Date: Thu, 1 Jun 1995 13:02:01 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: proven@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Chris, could you look at this and let me know what you think? I think
Ed has a few valid points here. Thanks....
- Ted
------- Forwarded Message
Date: Thu, 1 Jun 1995 11:30:00 -0400 (EDT)
From: Ed Phillips <flaregun@udel.edu>
To: "Theodore Ts'o" <tytso@MIT.EDU>
Cc: kerberos@MIT.EDU
Subject: Re: krb5_recvauth()
In-Reply-To: <9506010422.AA14749@dcl.MIT.EDU>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 1 Jun 1995, Theodore Ts'o wrote:
> No, the replay cache *shouldn't be part of the krb5_context, because an
> application may be accepting authentications as multiple services, and
> you need a separate replay cache for each server principal.
> Furthermore, you do have to keep the reply cache in disk, because
> multiple processes may need to access the same reply cache
> simultaneously. So the requirement to load in the entire rcache, add
> entries to it, and saving it back, is always going to be a requirement.
> That's why you need to do file locking on the rcache.
So, for a simple server, using one service principal, just doing
krb5_recvauth(), you really should initialize your own rcache. Then when
a new connection comes in, you can call krb5_auth_con_init(), and call
krb5_auth_con_setrache() to point the in memory rcache. The real dilemma
is, if you call krb5_auth_con_setrcache(), should calling
krb5_auth_con_free() close the rcache, or just free the pointer to it in
the auth context? If I explcitly call krb5_auth_con_setrcache(), then one
would expect that I will close it when I want to, not expect it to be
closed as a side-effect of calling krb5_auth_con_free(). I looks like the
rcache pointer in the auth context may have to continue working this way,
unless there is some way of denoting that the rcache was explicitly set by
a call to krb5_auth_con_setrcache(), or setup by a libkrb5.a routine.
Maybe krb5_recvauth() should require an rcache be set up and passed to it,
or it should close any rcache it creates/recovers before returning.
Thanks Ted,
Ed
+-------------------------------------------------------------------------+
| Ed Phillips <flaregun@udel.edu> University of Delaware (302) 831-6082 |
| Jr Systems Programmer, Network and Systems Services, Info. Technologies |
| Public key footprint: 1C D4 AC C2 A3 D5 97 AA DB 3B D8 85 88 E7 40 B8 |
| Finger flaregun@udel.edu for PGP public key |
+-------------------------------------------------------------------------+
------- End Forwarded Message
------- Begin Forwarded Message
Date: Thu, 1 Jun 1995 12:26:18 -0400 (EDT)
From: Ed Phillips <flaregun@udel.edu>
To: "Theodore Ts'o" <tytso@MIT.EDU>
Cc: kerberos@MIT.EDU
Subject: Re: krb5_recvauth()
In-Reply-To: <9506010422.AA14749@dcl.MIT.EDU>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Ted,
Gee whiz... it seems that krb5_recvauth() opens a new rcache no
matter what is in the auth context, and then sets authcontext->rcache to
this newly opened one. In my previous message I was assuming that you
could somehow pass an rcache to krb5_recvauth(), but there's no way to do
that now. There used to be. Anyway, it looks like krb5_recvauth()
should use the rcache in the auth context if one is available. Does this
make sense?
Thanks,
Ed
+-------------------------------------------------------------------------+
| Ed Phillips <flaregun@udel.edu> University of Delaware (302) 831-6082 |
| Jr Systems Programmer, Network and Systems Services, Info. Technologies |
| Public key footprint: 1C D4 AC C2 A3 D5 97 AA DB 3B D8 85 88 E7 40 B8 |
| Finger flaregun@udel.edu for PGP public key |
+-------------------------------------------------------------------------+
------- End Forwarded Message
