Skip Menu |
 

To: krb5-bugs@mit.edu
Subject: Disabling replay cache for krb5_rd_req
From: Sam Hartman <hartmans@MIT.EDU>
Date: Thu, 27 Mar 2003 16:01:04 -0500
Download (untitled)
message/rfc822 3.3KiB
Return-Path: <krbdev-bounces@MIT.EDU>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Wed, 26 Mar
2003 09:19:41 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <krbdev-bounces@MIT.EDU>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by suchdamage.org (Postfix) with ESMTP id 4B91A1316B
for <hartmans@suchdamage.org>; Wed, 26 Mar 2003 09:19:41 -0500 (EST)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
h2QEJS4C016249;
Wed, 26 Mar 2003 09:19:29 -0500 (EST)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2QEHgFp012098;
Wed, 26 Mar 2003 09:17:43 -0500 (EST)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8/8.12.8) with ESMTP id h2QEHeFm012094
for <krbdev@PCH.mit.edu>; Wed, 26 Mar 2003 09:17:40 -0500 (EST)
Received: from konishi-polis.mit.edu (cs6625131-84.austin.rr.com
[66.25.131.84])h2QEHd1u026288; Wed, 26 Mar 2003 09:17:39 -0500 (EST)
Received: by konishi-polis.mit.edu (Postfix, from userid 8042)
id 82412152124; Wed, 26 Mar 2003 09:17:01 -0500 (EST)
To: krbdev@mit.edu
Message-Id: <20030326141701.82412152124@konishi-polis.mit.edu>
Date: Wed, 26 Mar 2003 09:17:01 -0500 (EST)
From: hartmans@MIT.EDU (Sam Hartman)
Cc: zacheiss@mit.edu
Subject: Disabling replay cache for krb5_rd_req
X-BeenThere: krbdev@mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Help: <mailto:krbdev-request@mit.edu?subject=help>
List-Post: <mailto:krbdev@mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=unsubscribe>
Sender: krbdev-bounces@MIT.EDU
Errors-To: krbdev-bounces@MIT.EDU
X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20
X-Spam-Level:
MIME-Version: 1.0


Hi. Garry Zacheiss points out that it is unclear how to disable the
replay cache for krb5_rd_req. It is clear that you want this
functionality for some services including things like zephyr.

In the 1.2.x code base, you can pass in a null server argument to
krb5_rd_req and this will not set up a replay cache. This is
undesirable because it also allows any principal in the keytab to
match not just the desired principal. These two behaviors should not
be controlled by the same option.

In the 1.3 code base we have added functionality to set up a replay
cache even if server is null as part of the support for
GSS_C_NO_CREDENTIAL in gss_accept_sec_context.

I propose that we add some functionality to disable replay cache for
krb5_rd_req in 1.3. It seems there are two ways to do this. The
first is to tie use of replay cache in krb5_rd_req to
KRB5_AUTH_CONTEXT_DO_TIME as we do with the use of the replay cache in
krb5_rd_priv and krb5_rd_safe. The second is to add a new flag.

Unless people object I will tie the replay cache to DO_TIME. The
DO_TIME flag is set by default, so code that does not call
krb5_auth_con_setflags willalways use a replay cache.

Show quoted text
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
From: hartmans@mit.edu
Subject: CVS Commit
If the auth context does not have the DO_TIME flag set and no replay
cache is available, do not generate one.


To generate a diff of this commit:



cvs diff -r5.378 -r5.379 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.36 -r5.37 krb5/src/lib/krb5/krb/rd_req.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.378.2.1 -r5.378.2.2 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.36 -r5.36.2.1 krb5/src/lib/krb5/krb/rd_req.c