On 11 Jul 2013, at 20:40, Benjamin Kaduk <[email protected]> wrote: > In practice, this probably means that you can't call GSSNegotiate against one > vlserver and then try to finish against a different vlserver.
You definitely want to disallow this. In fact, you want to require that all of the GSSNegotiate calls for a given context occur on the same connection. > My rough plan for implementing multi-round-trip mechanisms on the server-side > was to cache partially-constructed GSS security contexts, with a cap on how > many can be cached at once and an expiration timer on them. That would > eliminate any need to either export/import the partially-constructed context > or replay GSS tokens. With the OpenAFS RX stack, you can just use connection specific objects to store the partially built security contexts. These will then be disposed of when the connection is destroyed - you don't need to use the opaque objects at all, unless you want to support establishing multiple contexts simultaneously over the same connection. Cheers, Simon _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
