Date: Sun, 7 Oct 2012 16:17:05 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Piete Brooks <Piete.Brooks@cl.cam.ac.uk> Cc: FS List <freebsd-fs@freebsd.org>, Ilias Marinos <ilias.marinos@cl.cam.ac.uk>, Brooks Davis <brooks@csl.sri.com>, Herbert Poeckl <freebsdml@ist.tugraz.at> Subject: Kerberized NFS/gssd credential cache issue Message-ID: <2071960851.1864186.1349641025365.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <E1TKsFj-0007ai-9s@mta0.cl.cam.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_1864185_1441828033.1349641025360
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Piete Brooks wrote:
> I initially took the priorities to be sorted, but it seems that all
> just add
> one to the score. Is this as planned, or should "++" become "|= 1 <<
> N" so
> that the most important one aleays wins?
My intent was that they all count the same, because I don't know if
one is more important than another. (A "more important" one could add
+N, if we collectively decide what is "more important".)
I hope you don't mind, but I thought if this is going to be discussed,
it should be on a mailing list, so I've replaced some of the cc's with
freebsd-fs@. (I took out the ones I believe will be reading the list.)
Everyone, a discussion has been going on w.r.t. an NFS over Kerberos
issue, where the gssd can't find the Kerberos credentials cache file
because it assumes it uses a name /tmp/krb5cc_<N>, where <N> is the
effective uid. Some setups of sshd use different naming, usually a
random suffix appended to the above, to differentiate between login
sessions, so the credentials cache can be destroyed upon logout.
The Linux gssd does a search of directories, using various heuristics
to try and guess which file is the most appropriate one.
I've coded a function that does something similar. Since I am not
a Kerberos wizzard, I don't know how appropriate the heuristics are.
I have attached testcc.c, which is the function plus a simple main()
to test it. (Once tested, this function would be used in the gssd to
select a credentials cache file.)
The current code does the following:
- Searches a directory for files that satisfy the following:
- has "krb5cc_ as a substring of the file's name
- is a regular file
- is owned by the uid
- has a valid tgt in it
For each file that satisfies the above, I generate a "rating",
which is an attempt at heuristically guessing the most
appropriate file, when there is more than one file matching the
above:
- add one to the rating for each of
- not a cross-realm tgt
- the principal without realm is the same name as
getpwuid(uid)->pw_name
- if the realm for the client principal is the preferred realm
(the preferred realm and "krb5cc_" substring are arguments
and I was assuming the preferred realm will usually be the
default realm)
Each of these currently counts one towards the rating.
If multiple files matching the above gets the same rating, it uses
the one that has the tgt that expires later.
So, Kerberos wizzards...
Should there be other criteria for selecting the file?
Should some of the rating checks count for more than others?
(They currently each count as 1, although some could count for more.)
Personally, I don't like the idea that a uid has multiple credential
cache files, since there is no definitive way to select the "correct one"
to authenticate a "uid", but it seems unavoidable.
Thanks in advance for any comments, rick
------=_Part_1864185_1441828033.1349641025360--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2071960851.1864186.1349641025365.JavaMail.root>