logo_kerberos.gif

Difference between revisions of "Projects/Keyring collection cache"

From K5Wiki
Jump to: navigation, search
 
Line 1: Line 1:
{{project-target|1.12}}
+
{{project-rel|1.12}}
{{project-review|2013-10-04}}
 
   
 
= Scope =
 
= Scope =

Latest revision as of 09:38, 4 October 2013

This project was completed in release 1.12.


Scope

Augment the KEYRING ccache type to support collections, and to support a new type of key which persists across multiple user login sessions until the ticket expires.

Background and previous work

The MIT Kerberos code base already include a KEYRING ccache type that uses kernel keyrings to implement a credential cache modeled after the FILE cache type. This cache type has 3 important limitations:

  • It uses only session, process, or thread based keyrings. This means the cache cannot survive a user logout and cannot be shared between different sessions of the same user.
  • It uses the classic "user" key type. The "user" key type is limited in size because it uses non-swappable memory, so it has issues storing large tickets (like those including MS-PAC authdata) due to strict default quotas on this type of key.
  • It cannot represent cache collections.

Current keyring cache format

The current implementation creates a new keyring named after the residual and links it to either the session, process, or thread special keyrings.

This keyring contains one special key named "__krb5_princ__" which contains the cache principal name. Each credential is stored as a separate key in the same keyring. The __krb5_princ__ key and the credential keys use the "user" key type, and contain serialized representations of the principal name or credential as appropriate.

Example: KRB5CCNAME=KEYRING:testccache

session
 \_testccache
    \_ __krb5_princ__
    \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
    \_ krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.KERBEROS.ORG\@TEST.KERBEROS.ORG@X-CACHECONF
    \_ krb5_ccache_conf_data/pa_type/krbtgt\/TEST.KERBEROS.ORG\@TEST.KERBEROS.ORG@X-CACHECONF
    \_ HTTP/http.test.kerberos.org@TEST.KERBEROS.ORG
    \_ ...

Design components

Linux Kernel improvements

Addition of a new key type "big_key" that allows us to create keys up to 1MiB in size, backed by internal kernel tmpfs, allowing the contents to be swapped out to disk (unlike most other keyrings, which remain in unswappable kernel memory).

Creation of a new public interface, keyctl_get_persistent. This API allows the user or a privileged process to access keys for a specified UID. This keyring is not tied to a session, so it can outlive a login session if there is a need to perform actions while not logged in, via a cron scripts or similar. This kernel keyring is created automatically on the first request if it does not yet exist.

Proposed patches by David Howells with explanatory comments on the kernel krbcache keyring: http://mailman.mit.edu/pipermail/krbdev/2013-August/011650.html (note now renamed to 'persistent')

Augmenting the current KEYRING cache type

The current keyring ccache type accepts the following residual forms:

  • KEYRING:<name>
  • KEYRING:process:<name>
  • KEYRING:thread:<name>

where <name> is an arbitrary string. The first form implies the use of a session keyring.

libkrb5 will now accept new forms for the residual string:

  • KEYRING:session:<name>
  • KEYRING:user:<name>
  • KEYRING:persistent:<uidnumber>

All residual forms will support cache collections.

The session and user keyrings use the session and user keyrings respectively. The new "persistent" form uses a special keyring as provided by the new keyutils call keyctl_get_persistent(). It requires support from the kernel for this new type; otherwise, it will fall back to the user keyring and the "user" key type.

Individual caches within the collection are identified and displayed by appending the specific cache keyring name to the main residual. For example:

 KEYRING:persistent:123:krb_ccache_WE324ffdX

New credential cache collection schema

A collection is represented with a keyring named "_krb_<name>", where <name> is from the residual string. The collection keyring links to a cache keyring for each cache within the collection, and also to a key named "krb_ccache:primary" of type "user", containing a serialized representation of the primary cache name.

Cache keyrings are named "krb_ccache_XXXXXX", where XXXXXX is a unique string. The format of a cache keyring is unchanged.

For the "thread", "process", "session", and "user" residual forms, the collection keyring is named "_krb_<name>" (where <name> is from the residual string) and is linked into the appropriate special keyring. For the "persistent" form, the cache keyring is named "_krb" and is linked to the persistent keyring.

When the classic session residual form ("KEYRING:<name>") is used, the first cache is handled specially. It is named with just the <name> from the residual string, and is linked to both the session keyring and to the "_krb_<name>" collection keyring.

Examples:

  • KRB5CCNAME=KEYRING:testccache
session
 \_ testccache
     \_ __krb5_princ__
     \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
     \_ ...
 \_ _krb_testccache
     \_ testccache <link to the key above>
     \_ krb_ccache_WQRQWTQ3
     \_ ...
     \_ krb_ccache:primary (points to testccache at collection cration)
  • KRB5CCNAME=KEYRING:user:testusercc
user
 \_ _krb_testusercc
     \_ krb_ccache_12WEF43f2
         \_ __krb5_princ__
         \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
         \_ ...
     \_ krb_ccache_fdgsER324
     \_ ...
     \_ krb_ccache:primary (krb_ccache_12WEF43f2)
  • KRB5CCNAME=KEYRING:persistent:123
_persistent.123
 \_ _krb
     \_ krb_ccache_12WEF43f2
         \_ __krb5_princ__
         \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
         \_ ...
     \_ krb_ccache_fdgsER324
     \_ ...
     \_ krb_ccache:primary (krb_ccache_12WEF43f2)

Testing

The new keyring functionality will be tested using the t_cccol.c and t_cc.c test programs, the existing tests in t_ccache.py, and new tests added to t_ccache.py to check for legacy session cache linkage.

Documentation

The KEYRING credential cache type is currently undocumented. If time permits, doc/basic/ccache_def.rst will be created and will document all credential types, including KEYRING with its new functionaliy.

Mailing list discussions

Commits

  • 620275cd43e237ab273b726b2aee0ae729587772 Add ccache collection tests using API
  • d7b94742daae85329067b126d0a4bc5b2ea7e4a0 Improve kinit output credential cache selection
  • 1f1b76ab8937c2cb0273cc5d8a7ee806240e1879 Add "which" function to k5test
  • 75b7ea9163e57ff0522f55a9cd0c2ab4b4974e38 Defer KEYRING key creation until initialize
  • 253155e1db678546358b69ab953f8fdd9b7fb23a Clarify variable names in cc_keyring.c
  • c1e8d03a6254e3ce86a71eed31e4c127e3324f9b Add collection support for KEYRING ccache type
  • 7c69a0372db5b7ed670ef3099a97942ede7a4739 Support new KEYRING anchor names and big_key keys
  • 5d03cb6b235f0ee0e30b34630f95f208d6acd3d0 Conditionally test KEYRING ccache type

Tickets

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7711

Release notes

Administrator experience:

  • Add collection support to the KEYRING credential cache type on Linux, and add support for persistent user keyrings and larger credentials on systems which support them.