[16531] in Kerberos_V5_Development
Re: Linking problem with Kerberos for Windows & mod_auth_kerb.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Dec 7 12:03:59 2010
From: Russ Allbery <rra@stanford.edu>
To: krbdev@mit.edu
In-Reply-To: <4CFE6794.8000106@secure-endpoints.com> (Jeffrey Altman's message
of "Tue, 07 Dec 2010 11:57:56 -0500")
Date: Tue, 07 Dec 2010 09:03:53 -0800
Message-ID: <87hbep8qh2.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> There is no reason that I am aware of for an application to be calling
> those functions directly. In fact, reading the source to mod_auth_kerb
> 5.4 it looks like the author has gone far out of his way to disable the
> use of replay caches by substituting his own implementation for MIT's.
> The code references MIT 1.3.3. That was a long time ago. I'm not even
> sure that the hack that is in place would work in a world with dynamic
> libraries on Linux.
IIRC, when I looked at this, it was the only way to actually disable the
replay cache in MIT as recently as 1.4. I don't recall whether it was
fixed in 1.5 or 1.6.
It's only active when built against MIT because at the time that code was
written Heimdal didn't implement a replay cache by default.
Due to the way that mod_auth_kerb works and how authentications happen in
HTTP, the default historic replay cache makes mod_auth_kerb effectively
useless because of the number of replay collisions due to the browser
separately authenticating multiple open connections to assemble a typical
web page. It's possible that subsequent work on the replay cache to
enable such things as sub-second timestamps would have fixed that.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
