Mats Erik Andersson <[email protected]> writes: > onsdag den 8 augusti 2012 klockan 14:07 skrev Simon Josefsson detta: >> Thanks for working on Shishi support in InetUtils! >> >> Mats Erik Andersson <[email protected]> writes: >> >> > * There was a call to shishi_done() executed from within >> > auth_finished() until yesterday. That lead to the premature >> > release of the Shishi handle, and sometimes segfaults. >> >> Do you know what kind of problems you'd get due to this? > > As long as krb5shishi_cleanup() was called by auth_finished() > in krb5shishi_is_auth() [sic!] there was a segmentation fault > when krb5shishi_status() issued shishi_authorized_p(), caused > by the invalidation of the handle. This is how I discovered > the matter. Not easy to back track after that, though.
Yeah, these function pointer structs are a bit messy. > The issue at hand originates in "telnetd/utility.c" where the > server cannot avoid to call auth_wait() in order to capture > the authorization status. This is done very late, so the > Shishi handle must be alive at least until this point. > > How about the encryption case? Does it need prolonged access > to the handle, or could the encryption run independently of > the shishi handle? It needs a shishi handle, but I don't think it needs to share any information with the shishi handle used during authentication. > The client needs shishi_done() in order to incorporate > any issued and valid ticket into the cache. Ah, yes, that would be good to do. Maybe there should be a Shishi interface for saving the cached tickets. InetUtils could invoke this to achieve it though: shishi_tkts_to_file (shishi_tkts_default (handle), shishi_tkts_default_file (handle)) However maybe saving received tickets should be done automatically by Shishi. > Does the server need to propagate any bits into its own cache? In such > case, we must find a suitable location to call shishi_done(). No the server is stateless. /Simon
