Disabling Replay Cache in Kerberos JGSS
Weijun Wang
weijun.wang at oracle.com
Tue Mar 5 01:46:04 UTC 2013
Hi Vipul
No, we don't have such a setting now but we are considering adding one,
most likely using a krb5.conf key-value pair.
Thanks
Max
On 3/4/13 1:23 PM, Vipul Mehta wrote:
> Hi,
>
> I want to disable the replay cache during context establishment in
> Kerberos ( JGSS ) to avoid Request is a replay (34) exception. JGSS
> provides the method requestReplayDet() to be called on initiator side
> but this works only to detect replay of tokens passed after context
> establishment. context.requestReplayDet(false) doesn't prevent the
> replay exception during context establishment.
>
> I am using separate context for each thread. For replay detection, JGSS
> just checks if multiple context establishment request from a client has
> same timestamp in authenticator. With several threads using the same
> client principal, it may happen that the replay attack detected is false
> positive.
>
> MIT kerberos provides a way to disable replay cache by setting
> KRB5RCACHENAME=none in environment variables. In JGSS, it looks like
> there is no such thing.
>
>
> --
> Regards,
> Vipul
More information about the security-dev
mailing list