Disabling Replay Cache in Kerberos JGSS
Weijun Wang
weijun.wang at oracle.com
Tue Mar 5 09:29:55 UTC 2013
I cannot guarantee a time, maybe within a month in jdk8, and the next
jdk7u release after it appears in 8.
-Max
On 3/5/13 5:16 PM, Vipul Mehta wrote:
> Can you give an estimate about when or in which version this might be
> available ?
>
>
> On Tue, Mar 5, 2013 at 7:16 AM, Weijun Wang <weijun.wang at oracle.com
> <mailto:weijun.wang at oracle.com>> wrote:
>
> Hi Vipul
>
> No, we don't have such a setting now but we are considering adding
> one, most likely using a krb5.conf key-value pair.
>
> Thanks
> Max
>
>
>
> On 3/4/13 1:23 PM, Vipul Mehta wrote:
>
> Hi,
>
> I want to disable the replay cache during context establishment in
> Kerberos ( JGSS ) to avoid Request is a replay (34) exception. JGSS
> provides the method requestReplayDet() to be called on initiator
> side
> but this works only to detect replay of tokens passed after context
> establishment. context.requestReplayDet(__false) doesn't prevent the
> replay exception during context establishment.
>
> I am using separate context for each thread. For replay
> detection, JGSS
> just checks if multiple context establishment request from a
> client has
> same timestamp in authenticator. With several threads using the same
> client principal, it may happen that the replay attack detected
> is false
> positive.
>
> MIT kerberos provides a way to disable replay cache by setting
> KRB5RCACHENAME=none in environment variables. In JGSS, it looks like
> there is no such thing.
>
>
> --
> Regards,
> Vipul
>
>
>
>
> --
> Regards,
> Vipul
More information about the security-dev
mailing list