Red Hat Bugzilla – Bug 243910
krb5-libs are not thread-safe
Last modified: 2007-11-16 20:14:56 EST
The kerberos libraries included in RHEL-4 are not thread-safe. This presents
problems for multi-threaded server software that accepts kerberos authentication.
Newer Kerberos versions (1.5 and later) are supposed to be thread-safe. Is it
possible to backport any of these changes to make the libraries thread-safe on
RHEL-4? I have seen this done on other operating systems where pre-1.5 versions
of kerberos were made thread-safe.
Thread-safety should have been sorted in the 1.4 release, but RHEL 4 included
version 1.3.4. A workaround I've seen used is to put a mutex around the
gss_accept_security_context() function calls. I can't say what kind of (if any)
performance hit this might create.
I'm not sure that backporting the proper fixes (threading mutexes through
libkrb5 and the gssapi libraries, at least) is really feasible at this point.
Since I'm coding my multi-threaded application against the SASL api, I don't
have an option to add a mutex around gss_accept_security_context(). This would
need to be done in the SASL GSSAPI plugin.
Since the Kerberos libraries are not, and will not, be thread-safe on RHEL-4, is
it possible to add a mutex around gss_accept_security_context() in the GSSAPI
SASL plugin that we include as a part of the cyrus-sasl-gssapi package? The
mutex would only be used if the application that was coded against SASL passes
in it's own mutex function callbacks by calling sasl_set_mutex(), otherwise it
would have no effect.
Yes, I think that's doable. It looks like that was done in 2.1.20,
while RHEL 4 has 2.1.19 and RHEL 5 has 2.1.22. The patch looks pretty
well-isolated. Moving to cyrus-sasl and proposing for 4.6 as an
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.