To: | krb5-bugs@mit.edu |
Subject: | Replay cache not used in GSS_C_NO_CREDENTIAL case |
From: | Sam Hartman <hartmans@MIT.EDU> |
Date: | Wed, 25 Feb 2004 20:09:03 -0500 |
Apparently the context flags are set incorrectly and the replay cache is not used in the GSS_C_NO_CREDENTIAL case.
I am declaring this bug not a blocker for 1.3.2 although it is fairly
serious.
Return-Path: <cesarg@ms.com>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Wed, 25 Feb
2004 15:49:47 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <cesarg@ms.com>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by suchdamage.org (Postfix) with ESMTP id 4BCA7131A2
for <hartmans@suchdamage.org>; Wed, 25 Feb 2004 15:49:47 -0500 (EST)
Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
i1PKni1G024046;
Wed, 25 Feb 2004 15:49:44 -0500 (EST)
Received: from pivsbh2.ms.com (localhost [127.0.0.1])
by localhost.ms.com (Postfix) with SMTP
id 148F073D0; Wed, 25 Feb 2004 15:49:44 -0500 (EST)
Received: from ny16im01.ms.com (unknown [144.14.206.242])
by pivsbh2.ms.com (internal Postfix) with ESMTP
id E9D956D25; Wed, 25 Feb 2004 15:49:43 -0500 (EST)
Received: from limus.ms.com (limus [144.14.15.176])
by ny16im01.ms.com (Sendmail MTA Hub) with ESMTP id i1PKnhu09966;
Wed, 25 Feb 2004 15:49:43 -0500 (EST)
Received: (cesarg@localhost) by limus.ms.com (8.11.6/sendmail.cf.client
v1.05) id i1PKnhF29022; Wed, 25 Feb 2004 15:49:43 -0500
X-Mailer: 21.4 (patch 12) "Portable Code" XEmacs Lucid (via feedmail 10 I);
VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid
Message-ID: <16445.2663.303712.613146@limus.ms.com>
Date: Wed, 25 Feb 2004 15:49:43 -0500
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Cesar Garcia <Cesar.Garcia@morganstanley.com>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@MIT.EDU
Subject: Re: Thread-safe libraries
In-Reply-To: <tslznb6udaa.fsf@konishi-polis.mit.edu>
References: <Nikola.Milutinovic@ev.co.yu>
<403C3D04.3080702@ev.co.yu>
<200402251612.i1PGCfg5024634@ginger.cmf.nrl.navy.mil>
<16444.64698.352328.702640@limus.ms.com>
<tslznb6udaa.fsf@konishi-polis.mit.edu>
X-Spam-Status: No, hits=-6.9 required=5.0
tests=BAYES_01,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
REPLY_WITH_QUOTES
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.
accept_sec_context clearly sets auth_context with
KRB5_AUTH_CONTEXT_DO_SEQUENCE.
What am I missing?
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Wed, 25 Feb
2004 15:49:47 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <cesarg@ms.com>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by suchdamage.org (Postfix) with ESMTP id 4BCA7131A2
for <hartmans@suchdamage.org>; Wed, 25 Feb 2004 15:49:47 -0500 (EST)
Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
i1PKni1G024046;
Wed, 25 Feb 2004 15:49:44 -0500 (EST)
Received: from pivsbh2.ms.com (localhost [127.0.0.1])
by localhost.ms.com (Postfix) with SMTP
id 148F073D0; Wed, 25 Feb 2004 15:49:44 -0500 (EST)
Received: from ny16im01.ms.com (unknown [144.14.206.242])
by pivsbh2.ms.com (internal Postfix) with ESMTP
id E9D956D25; Wed, 25 Feb 2004 15:49:43 -0500 (EST)
Received: from limus.ms.com (limus [144.14.15.176])
by ny16im01.ms.com (Sendmail MTA Hub) with ESMTP id i1PKnhu09966;
Wed, 25 Feb 2004 15:49:43 -0500 (EST)
Received: (cesarg@localhost) by limus.ms.com (8.11.6/sendmail.cf.client
v1.05) id i1PKnhF29022; Wed, 25 Feb 2004 15:49:43 -0500
X-Mailer: 21.4 (patch 12) "Portable Code" XEmacs Lucid (via feedmail 10 I);
VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid
Message-ID: <16445.2663.303712.613146@limus.ms.com>
Date: Wed, 25 Feb 2004 15:49:43 -0500
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Cesar Garcia <Cesar.Garcia@morganstanley.com>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@MIT.EDU
Subject: Re: Thread-safe libraries
In-Reply-To: <tslznb6udaa.fsf@konishi-polis.mit.edu>
References: <Nikola.Milutinovic@ev.co.yu>
<403C3D04.3080702@ev.co.yu>
<200402251612.i1PGCfg5024634@ginger.cmf.nrl.navy.mil>
<16444.64698.352328.702640@limus.ms.com>
<tslznb6udaa.fsf@konishi-polis.mit.edu>
X-Spam-Status: No, hits=-6.9 required=5.0
tests=BAYES_01,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
REPLY_WITH_QUOTES
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.
accept_sec_context clearly sets auth_context with
KRB5_AUTH_CONTEXT_DO_SEQUENCE.
What am I missing?
Show quoted text
>>>>> "Sam" == Sam Hartman <hartmans@MIT.EDU> writes:
Show quoted text
>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia@morganstanley.com> writes:
Show quoted text
Cesar> wrt to gssapi and 1.3.1 ...
Show quoted text
Cesar> Since we're pointing out lack of replay cache detection,
Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar> replay cache is used. (specifically looking at 1.3.1 -
Cesar> lib/gssapi/krb5/acquire_cred.c)
Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar> replay cache is used. (specifically looking at 1.3.1 -
Cesar> lib/gssapi/krb5/acquire_cred.c)
Show quoted text
Sam> I think that's false. I believe that krb5_rd_req will end up setting
Sam> up a rcache later.
Sam> up a rcache later.
Show quoted text
Sam> I don't have time to go look through the code now though, but I wrote
Sam> it and at least intended that a replay cache would get used even
Sam> though it does not get stored in the GSSAPI credentials structure.
Sam> it and at least intended that a replay cache would get used even
Sam> though it does not get stored in the GSSAPI credentials structure.