Main Nav

Message from a.cudbardb@freeradius.org

Hi All, A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded. It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy). I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations. Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions. Change list: * Both - Check that krb5 library was compiled with threading support on startup. * Both - Clone context on each request to ensure thread safety. * Both - Move service principal parsing so it's done at intialisation only (instead of on every request). * Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything. * Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP) * Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled). * MIT - Move service principal string to service principal conversion so that it's done at initialisation only (instead of on every request). * MIT - Move options configuration so they're done at initialisation only (instead of on every request). * MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic. * MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own. For those wanting to test: git clone git@github.com:arr2036/freeradius-server.git cd freeradius-server git checkout threaded_krb5 Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly. Thanks, Arran ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from shuque@upenn.edu

Hi Aaron, Sorry for the late reponse to this thread (I'm catching up on backlogged mail). I'm not sure if you got any volunteers, but we'd be very interested in testing this out (with MIT krb5 at least). Thanks for doing this work. --Shumon. On Fri, Jan 11, 2013 at 05:19:42PM +0000, Arran Cudbard-Bell wrote: > (apologies for those on netman, this should have gone to wireless-lan originally) > > Hi All, > > A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded. > > It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy). > > I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations. > > Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions. > > Change list: > * Both - Check that krb5 library was compiled with threading support on startup. > * Both - Clone context on each request to ensure thread safety. > * Both - Move service principal parsing so it's done at intialisation only (instead of on every request). > * Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything. > * Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP) > * Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled). > * MIT - Move service principal string to service principal conversion so that it's done at initialisation only (instead of on every request). > * MIT - Move options configuration so they're done at initialisation only (instead of on every request). > * MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic. > * MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own. > > For those wanting to test: > git clone git@github.com:arr2036/freeradius-server.git > cd freeradius-server > git checkout threaded_krb5 > > Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly. > > Thanks, > Arran > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. > -- Shumon Huque University of Pennsylvania. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from shuque@upenn.edu

Message from a.cudbardb@freeradius.org

Hi All, A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded. It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy). I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations. Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions. Change list: * Both - Check that krb5 library was compiled with threading support on startup. * Both - Clone context on each request to ensure thread safety. * Both - Move service principal parsing so it's done at intialisation only (instead of on every request). * Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything. * Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP) * Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled). * MIT - Move service principal string to service principal conversion so that it's done at initialisation only (instead of on every request). * MIT - Move options configuration so they're done at initialisation only (instead of on every request). * MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic. * MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own. For those wanting to test: git clone git@github.com:arr2036/freeradius-server.git cd freeradius-server git checkout threaded_krb5 Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly. Thanks, Arran ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from a.cudbardb@freeradius.org

(apologies for those on netman, this should have gone to wireless-lan originally)

Hi All,

A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded.

It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy).

I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations.

Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions.

Change list:
* Both - Check that krb5 library was compiled with threading support on startup.
* Both - Clone context on each request to ensure thread safety.
* Both - Move service principal parsing so it's done at intialisation only  (instead of on every request).
* Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything.
* Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP)
* Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled).
* MIT - Move service principal string to service principal conversion so that it's done at initialisation only  (instead of on every request).
* MIT - Move options configuration so they're done at initialisation only  (instead of on every request).
* MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic.
* MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own.

For those wanting to test:
git clone git@github.com:arr2036/freeradius-server.git
cd freeradius-server
git checkout threaded_krb5

Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly.

Thanks,
Arran********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.