Carson Gaspar wrote:
Carson Gaspar wrote:
Howard Chu wrote:
Paul Hasenohr wrote:
I am running Debian Etch with current Debian packages:
* slapd 2.3.30-5
* sasl2-bin 2.1.22.dfsg1-8
* libsasl2-2 2.1.22.dfsg1-8
* krb5-kdc 1.4.4-7etch5
Could anyone please tell me if this behaviour is to be expected or how
this could be improved?
Best advice - use Heimdal Kerberos. MIT Kerberos code quality is poor,
and thread safety is still unproven.
And the sky is blue, and that has NOTHING to do with the problem.
The problem is _exactly_ what the log says it is. The client is sending
multiple identical auth requests, which the KDC is (properly) rejecting
as a replay attack. Google shows many hits for a similar bug in
mod_auth_kerb.
I tracked down what may be the mod_auth_kerb fix, if anyone cares to
look at it:
http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.75&r2=1.76&view=patch
Replacing one piece of poorly implemented code (replay cache) with another
hack to disable it. Great idea. Better idea - replace more of it. In fact,
replace all of it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
