[625] in Kerberos-V5-bugs
KDC lookaside buffer can return incorrect results
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Fri Aug 12 12:26:58 1994
Date: Fri, 12 Aug 1994 12:27:51 -0400
From: "Jonathan I. Kamens" <jik@cam.ov.com>
To: krb5-bugs@MIT.EDU
In a very specific circumstance, the KDC lookaside buffer can return
an incorrect result. In particular, if a client makes a request, then
the KDC database is changed in a way related to that request by
kadmind or something, then the client makes the exact same request *in
the same second*, the lookaside buffer will return the old response,
even though it is no longer valid.
For example, our unit tests sometimes kinit as a user, change the
user's password, and then kinit again with the new password, all in
quick succession. When they run fast enough, the lookaside buffer
sends back a TGT with the old password, and kinit can't decrypt it.
A long-term solution to this problem would perhaps be to have the KDC
dump its lookaside buffer whenever it received a certain signal, and
have the admin server send it that signal whenever it modifies the
database. We may get around to implementing such a fix eventually.
In the short term, however, a much quicker solution is simply to
disable the lookaside buffer. Our experience (which, granted, is in a
pretty small-scale environment) is that it almost never gets used; in
the 15,062 lines that our KDC logged between June 25 and August 8,
only 76 of them, or 0.5%, were "replay found and re-transmitted".
Therefore, although the bug I'm reporting is pretty minor, we believe
that the benefit of the lookaside buffer is even more minor, so we're
disabling it here until we can fix it properly, and we think that the
MIT code should either disable it or fix it too.
To disable the buffer, you just put "#if 0" or "$idef
KDC_USE_LOOKASIDE_BUFFER" and "#endif" around the lines in dispatch()
that call kdc_check_lookaside and kdc_insert_lookaside.
Thanks,
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
