[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: gssapi and an expired TGT in cache
From: Sorin Manolache <sorinm () gmail ! com>
Date: 2015-03-04 20:44:05
Message-ID: 54F76E95.1070500 () gmail ! com
[Download RAW message or body]
On 2015-03-04 17:21, Greg Hudson wrote:
> On 03/04/2015 10:42 AM, Sorin Manolache wrote:
>> Unfortunately it seems that krb5_cc_remove_cred is not implemented for
>> the memory cache type either.
>
> Yes, but if you use a memory ccache, you won't be sharing with other
> processes, so there will never be pre-existing creds there.
>
That is true. However my application is a http server module with an
indefinite running time (similar to
http://css.csail.mit.edu/6.858/2014/projects/kanter-bcyphers-bfaviero-jpeebles.pdf)
so the credentials will eventually expire.
As the server is multi-threaded the krb5_cc_destroy alternative doesn't
work either: all gss_acquire_cred/krb5 calls should be then protected by
a mutex in order to avoid a race condition with krb5_cc_destroy. As my
module does almost exclusively gssapi/krb5 calls the whole application
becomes almost mono-threaded.
So I see the following alternatives:
1) patch gss_acquire_cred_with_password such that it detects that the
TGT stored in the cache is expired, makes a KDC request, and replaces
the expired TGT in the cache with the newly created TGT.
2) implement krb5_mcc_remove_cred. Is there any particular reason why it
was left unimplemented?
3) switch to the heimdal implementation. However heimdal uses the cache
only if the desired name passed to gss_acquire_cred is the default
principal of the cache so it's not really what I want either.
I would try the 2nd. If I succeed I'll submit the patch. If I fail, I'll
go with the 3rd one.
Best regards,
Sorin
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic