I am attempting to determine if there is a significant need to improve the false positive performance of the replay cache. A symptom of this behavior is the error message "Request is a replay" when there is apparently no replay. My impression is that many of the replay cache false-positive problems reported to date have been due to the KDC replay cache.
Has anyone experienced problems due to false positive conditions on an application replay cache? This is in contrast to a false positive indication on the KDC replay cache, which can cause error conditions in situations such as when mod_auth_krb obtains a ticket from the KDC using a user-submitted password. In the case where false positives in application replay caches present a significant issue, the following project proposal describes one approach we can use to solve the problem: http://k5wiki.kerberos.org/wiki/Projects/replay_cache_collision_avoidance If it turns out that almost all of the problems are due to the KDC replay cache, we can consider turning off the KDC replay cache, as we believe that doing so poses negligible security consequences, and is substantially easier. -- Tom Yu Development Manager MIT Kerberos Consortium ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
