Re: Detect when KRB5CCNAME changes for certain server scenarios

[Michael B Allen <mba2000@ioplex.com>]

On Sat, 10 Feb 2007 02:42:49 +1100
Love Hörnquist Åstrand <lha@kth.se> wrote:

> >>
> >> Shouldn't all inputs that changes the default name affect the "probe
> >> function"
> >> Right now that is KRB5CCNAME and uid of the process.
> >
> > Not if KRB5CCNAME is allowed to change at runtime.
> >
> > Consider a single threaded server that authenticates a client
> > and calls setenv("KRB5CCNAME=deleg/ccache1") and then calls
> > gss_init_sec_context to authenticate with second server. That will
> > trigger context->default_cc_name to be set.
> >
> > Then a second client is authenticated and calls
> > setenv("KRB5CCNAME=deleg/ccache2"). Again gss_init_sec_context is  
> > called
> > but now context->default_cc_name will *not* be set and the *wrong*
> > ccache file will be used.
> 
> So I think I didn't mange to express myself clearly enough. So I was
> arguing that the changing the uid should also trigger a default cc  
> name change
> in addition to detecting KRB5CCNAME changes.
> 
> change_to_uid(first-user)
> init_sec_context
> change_to_uid(other-user)
> init_sec_context

And what if you do not change uids?

This is a real error that I ecountered in my application. Apache workers
all run as 'nobody' and do not change uids. Once the default_cc_name is
set for an httpd worker process all subsequent authentications by that
worker will use the old ccache and init_sec_context will fail to find
the desired cred.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/