Disabling Replay Cache in Kerberos JGSS
Vipul Mehta
vipulmehta.1989 at gmail.com
Mon Mar 4 05:23:23 UTC 2013
Hi,
I want to disable the replay cache during context establishment in Kerberos
( JGSS ) to avoid Request is a replay (34) exception. JGSS provides the
method requestReplayDet() to be called on initiator side but this works
only to detect replay of tokens passed after context establishment.
context.requestReplayDet(false) doesn't prevent the replay exception during
context establishment.
I am using separate context for each thread. For replay detection, JGSS
just checks if multiple context establishment request from a client has
same timestamp in authenticator. With several threads using the same client
principal, it may happen that the replay attack detected is false positive.
MIT kerberos provides a way to disable replay cache by setting
KRB5RCACHENAME=none in environment variables. In JGSS, it looks like there
is no such thing.
--
Regards,
Vipul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130304/3bf79400/attachment.htm>
More information about the security-dev
mailing list