[torquedev] req_getcred() should match connections on client IP, not just port number

Sergio Gelato Sergio.Gelato at astro.su.se
Mon Feb 26 01:31:03 MST 2007


* Garrick Staples [2007-02-25 18:08:34 -0700]:
> On Mon, Feb 26, 2007 at 12:39:50AM +0100, Sergio Gelato alleged:
> > It occurred to me that pbs_server's req_getcred() only looks at the
> > client-side port number when looking for the connection to be authenticated
> > by AuthenUser. This is not 100% reliable, as different clients may
> > happen to use the same port number (on different IP addresses) at the
> > same time, resulting in sporadic failures. (There may be security
> > implications as well.)
> 
> Interesting scenerio.  Have you actually observed the sporadic failures?

No, my server hasn't been busy enough for that. It's a birthday-paradox
kind of effect, so it would require either a large number of simultaneous 
client connections or modified clients that go out of their way to use 
the same port number. You'll notice that I didn't say "patch" in the
subject line: although I am running just fine with that patch applied,
I'm not claiming that it should be included on the trunk just yet. And in 
the long run I'm more interested in GSSAPI support than in fixing AuthenUser.


More information about the torquedev mailing list