rcache question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

rcache question

Joakim Tjernlund
I got this old module(mod_auth_kerb) that don't build with version >= 18.2 due to missing  krb5_rc_resolve_full()
Looking at the kode I got:
static int
have_rcache_type(const char *type)
{
   krb5_error_code ret;
   krb5_context context;
   krb5_rcache id = NULL;
   int found;

   ret = krb5_init_context(&context);
   if (ret)
      return 0;

   ret = krb5_rc_resolve_full(context, &id, "none:");
   found = (ret == 0);

   if (ret == 0)
      krb5_rc_destroy(context, id);
   krb5_free_context(context);

   return found;
}

and this is used like so:
   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
      1.3.x are covered by the hack overiding the replay calls */
   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
      putenv(strdup("KRB5RCACHETYPE=none"));

Looking at the mit-krb5 code is seems to me that rcache type "none" always
returns true so I could just make :
 have_rcache_type(const char *type) { return 1; }
Is that a correct assumption ?

 Jocke

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: rcache question

Greg Hudson
On 8/13/20 8:45 AM, Joakim Tjernlund wrote:
> Looking at the mit-krb5 code is seems to me that rcache type "none" always
> returns true so I could just make :
>  have_rcache_type(const char *type) { return 1; }
> Is that a correct assumption ?

Yes, since it is no longer necessary to detect really old versions.

I would recommend switching to mod_auth_gssapi if possible.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: rcache question

Joakim Tjernlund
On Thu, 2020-08-13 at 11:17 -0400, Greg Hudson wrote:
>
> On 8/13/20 8:45 AM, Joakim Tjernlund wrote:
> > Looking at the mit-krb5 code is seems to me that rcache type "none" always
> > returns true so I could just make :
> >  have_rcache_type(const char *type) { return 1; }
> > Is that a correct assumption ?
>
> Yes, since it is no longer necessary to detect really old versions.

OK, thanks!

>
> I would recommend switching to mod_auth_gssapi if possible.

It is planned but for now I just need to make the server run with 1.18
Would browser notice if I switch to  mod_auth_gssapi ? Some config to tweak ?

    Jocke


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: rcache question

Simo Sorce-3
On Thu, 2020-08-13 at 15:29 +0000, Joakim Tjernlund wrote:

> On Thu, 2020-08-13 at 11:17 -0400, Greg Hudson wrote:
> > On 8/13/20 8:45 AM, Joakim Tjernlund wrote:
> > > Looking at the mit-krb5 code is seems to me that rcache type "none" always
> > > returns true so I could just make :
> > >  have_rcache_type(const char *type) { return 1; }
> > > Is that a correct assumption ?
> >
> > Yes, since it is no longer necessary to detect really old versions.
>
> OK, thanks!
>
> > I would recommend switching to mod_auth_gssapi if possible.
>
> It is planned but for now I just need to make the server run with 1.18
> Would browser notice if I switch to  mod_auth_gssapi ? Some config to tweak ?

If you use just basic settings there should be no difference.
If you used some obscure mod_auth_krb config options you may need to
understand what they did and apply appropriate options to
mod_auth_gssapi configuration to compensate.

So far I do not know of any major difference, and haven't had bug
reports of situations where mod_auth_gssapi conf could not be adapted
to work as wanted.

Simo.

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc




_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev