RT/krbdev.mit.edu: Ticket #3357 Would be nice to be able to test if clients handle KRB5KDC_ERR_RESPONSE_TOO

RT/krbdev.mit.edu: Ticket #3357 Would be nice to be able to test if clients handle KRB5KDC_ERR_RESPONSE_TOO_BIG correctly.

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
3357

Status
open

Worked
0 min

Priority
25/0

Queue
krb5

Keyword Selections

Component	krb5-kdc
Version_reported
Version_Fixed
Target_Version
Tags	enhancement

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

3893: (Nobody) lookaside cache changes open minor exposures [new]

Dates

Created:	Thu Jan 19 19:36:49 2006
Starts:	Not set
Started:	Not set
Last Contact:	Fri Jun 16 22:39:01 2006
Due:	Not set
Updated:	Fri Jun 16 22:39:00 2006 by raeburn

People

Owner
raeburn
Requestors
nalin@redhat.com
Cc

AdminCc

More about nalin@redhat.com

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

3099: error handling in keytab manipulation routines (open)
3180: errors reading AS-REP on systems with large numbers of interfaces (open)
5940: when the 'case' option is enabled, mget can miscompute the destination filename (open)
6520: struct utmp's ut_tv isn't always a struct timeval (open)
6742: would like to be able to specify listening address for krb5kdc and kadmind (open)
2022: configure can't mix --with-netlib and --enable-dns (open)
3059: spurious EBADF in krshd (open)
3357: Would be nice to be able to test if clients handle KRB5KDC_ERR_RESPONSE_TOO_BIG correctly. (open)
5597: ftp: error reading remote file on passive get results in leaked descriptor (open)
5755: The KDC reports the principal expiration time rather than the key expiration time. (open)
5868: kpasswd routines don't switch to tcp (open)
5891: kdb_ldap should treat entries with "nsAccountLock: true" as locked (open)
5939: PAM support for rshd, login, and ftpd (open)
6521: ftp.c makes questionable use of strlen() (open)
6524: ftp and rcp behave oddly with large files on 32-bit systems (open)
6525: man pages can have incorrect path names in them (open)
6682: krb5_get_init_creds_password() is inconsistent about when it warns about impending expiration (open)
6748: kadmind and kpropd only support one realm at a time (open)
7502: kldap plugin always writes to krbLastAdminUnlock (open)
4377: Preauthentication Plugin Framework (open)

History

Display mode: [Brief headers] [Full headers]

Thu Jan 19 19:36:52 2006	RT_System - Ticket created
		Download (untitled) 15.6k
Thu Jan 19 19:36:56 2006	RT_System - Tags enhancement added
Thu Jan 19 19:36:57 2006	RT_System - Component krb5-kdc added
Fri Jun 16 21:33:15 2006	raeburn - Given to raeburn
Fri Jun 16 21:33:15 2006	raeburn - Comments added
Hmm, every version of patch I've tried is unhappy with this patch. Most hunks fail, and some of the patch headers aren't even recognized, so it tries to apply some of them to the wrong files...		Download (untitled) 194b
Fri Jun 16 22:38:59 2006	raeburn - Correspondence added
This seems like a good idea (and I'm sorry I didn't get to reviewing it sooner), but I've got some concerns: * The lookaside cache is there largely to prevent the libkrb5 replay cache from reporting a replay error. If a message comes in over UDP, a response gets sent and lost for some reason (firewall?), and then the client tries sending the same message over TCP, I think this patch will cause the library to detect a replay that gets past the lookaside cache. Perhaps we should cache the "real" result before reporting the too-big error (or retrieve the cached result and then check its size), though that would mean some rearranging of code. * Does it make sense for the maximum size to be a realm parameter? I'm thinking of a KDC set up to service multiple realms... the realm data may determine whether large responses are likely to be generated, but I would think the network environment (or an "I'm testing" flag) would be the determining factor as to when you'd want to switch to TCP.		Download (untitled) 999b