[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Detect when KRB5CCNAME changes for certain server scenarios
>> Shouldn't all inputs that changes the default name affect the "probe
>> Right now that is KRB5CCNAME and uid of the process.
> Not if KRB5CCNAME is allowed to change at runtime.
> Consider a single threaded server that authenticates a client
> and calls setenv("KRB5CCNAME=deleg/ccache1") and then calls
> gss_init_sec_context to authenticate with second server. That will
> trigger context->default_cc_name to be set.
> Then a second client is authenticated and calls
> setenv("KRB5CCNAME=deleg/ccache2"). Again gss_init_sec_context is
> but now context->default_cc_name will *not* be set and the *wrong*
> ccache file will be used.
So I think I didn't mange to express myself clearly enough. So I was
arguing that the changing the uid should also trigger a default cc
in addition to detecting KRB5CCNAME changes.