[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Detect when KRB5CCNAME changes for certain server scenarios
>>
>> Shouldn't all inputs that changes the default name affect the "probe
>> function"
>> Right now that is KRB5CCNAME and uid of the process.
>
> Not if KRB5CCNAME is allowed to change at runtime.
>
> Consider a single threaded server that authenticates a client
> and calls setenv("KRB5CCNAME=deleg/ccache1") and then calls
> gss_init_sec_context to authenticate with second server. That will
> trigger context->default_cc_name to be set.
>
> Then a second client is authenticated and calls
> setenv("KRB5CCNAME=deleg/ccache2"). Again gss_init_sec_context is
> called
> but now context->default_cc_name will *not* be set and the *wrong*
> ccache file will be used.
So I think I didn't mange to express myself clearly enough. So I was
arguing that the changing the uid should also trigger a default cc
name change
in addition to detecting KRB5CCNAME changes.
change_to_uid(first-user)
init_sec_context
change_to_uid(other-user)
init_sec_context
Love