[20083] in Kerberos_V5_Development
Re: GSSAPI security context integrity check
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 6 20:27:08 2020
To: Alexandr Nedvedicky <alexandr.nedvedicky@oracle.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <f686ce0b-04bc-5604-15a8-8347eb49eb2a@mit.edu>
Date: Wed, 6 May 2020 20:26:57 -0400
MIME-Version: 1.0
In-Reply-To: <20200506171828.GA29612@tbd>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 5/6/20 1:18 PM, Alexandr Nedvedicky wrote:
> not sure if it is the right place to ask questions related to GSSAPI, will be
> glad for any useful pointers.
This is the right place, since it relates to the MIT krb5 GSS
implementation.
> Customer switched to Solaris 11.4, which comes with kerberos
> 1.16.
Are there Solaris-specific modifications to this code, or is it
unmodified 1.16?
> two security contexts attempted to use integrity protection.
The two filenames had the same suffix (c523660). If I understand
correctly, that is the pointer value of the krb5 GSS context object--so
both g_seqstate_init() calls were for the same context (which is
consistent with the initial sequence numbers being the same). It would
be very interesting to know the stack traces of the two
g_seqstate_init() calls, although that might be difficult to collect
remotely. Normally there should only be one g_seqstate_init() call for
a context, from kg_accept_krb5().
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
