On 10/10/2014 09:50 AM, Rick van Rein wrote: > I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for > GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that > is also available in the Kerberos mapping of GSS-API. So the answer appears > to be “yes, you can do this with Kerberos”.
You probably want to be looking at RFC 2743 and RFC 2744, not RFC 1509, but yes. > I’m going to assume that MIT krb5 will indeed implement these. We do. Some implementation limits to be aware of: * Prior to 1.12.2, we had a bug where initial out-of-order delivery could result in GSS_S_FAILURE. The ticket is: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7872 * Prior to 1.13, we can detect replays matching any of the 20 previously received sequence numbers. I think sequence numbers below the range of that set will result in GSS_S_FAILURE, due to a bug. * Starting with 1.13, we can detect replays for values within 64 of the expected next sequence number, and will properly return GSS_S_OLD_TOKEN if the received sequence number is below that range. Notes on the rewrite are at: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7879 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
