[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Detect when KRB5CCNAME changes for certain server scenarios

To: heimdal-discuss@sics.se
Subject: Detect when KRB5CCNAME changes for certain server scenarios
From: Michael B Allen <mba2000@ioplex.com>
Date: Thu, 8 Feb 2007 00:14:59 -0500
Sender: owner-heimdal-discuss@sics.se

Consider a web application that authenticates clients using
gss_accept_sec_context, places the delegated credential into a file and
exports KRB5CCNAME. If the web application were to then call a library
function (e.g. ldap_sasl_bind_s) that also used Heimdals GSSAPI it may
fail to find the credential.

The reason is because once lib/krb5/cache.c:krb5_cc_default_name sets
context->default_cc_name it is not set again by gss_* routines. So it
will work for the first client but not for subsequent clients.

Please consider the below patch. This will cause krb5_cc_set_default_name
to be called if KRB5CCNAME changes at all. It assumes getenv returns
the same address but if it does not the code is at least correct.

Mike

$ diff -Naur cache.c.0 cache.c
--- cache.c.0   2007-02-08 00:04:47.000000000 -0500
+++ cache.c     2007-02-08 00:06:05.000000000 -0500
@@ -389,8 +389,12 @@
 const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
 {
-    if (context->default_cc_name == NULL)
+    static char *krb5ccname;
+
+    if (context->default_cc_name == NULL || krb5ccname != getenv("KRB5CCNAME")) {
        krb5_cc_set_default_name(context, NULL);
+        krb5ccname = getenv("KRB5CCNAME");
+    }
 
     return context->default_cc_name;
}

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

Follow-Ups:
- Re: Detect when KRB5CCNAME changes for certain server scenarios
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Keytab "MEMORY" in error message
Next by Date: $B$*CN$i$;(B
Prev by thread: Re: Keytab "MEMORY" in error message
Next by thread: Re: Detect when KRB5CCNAME changes for certain server scenarios
Index(es):
- Date
- Thread