Difference between revisions of "Projects/Credential Store extensions"
(New page: {{project-early}} This project is about adding a set of extensions to GSSAPI to more easily handle credentials in a mechanism agnostic way. == Background == During the development of th...) |
|||
Line 24: | Line 24: | ||
The exposed public functions are paired with an analogous one in the mechglue SPI to give mechanisms access to the Credentials Store. |
The exposed public functions are paired with an analogous one in the mechglue SPI to give mechanisms access to the Credentials Store. |
||
The implementation provides functions only for mechanisms for which it makes sense, initially krb5 but not SPNEGO |
The implementation provides functions only for mechanisms for which it makes sense, initially krb5 but not SPNEGO |
||
+ | |||
+ | == New APIs == |
||
+ | |||
+ | Functions: |
||
+ | * GSS_Acquire_cred_from() |
||
+ | * GSS_Add_cred_from() |
||
+ | * GSS_Store_cred_into() |
||
+ | |||
+ | Structures: |
||
+ | * gss_cred_store_element_struct |
||
+ | * gss_cred_store_struct |
||
+ | |||
+ | If the cred store structure does not contain a mechanism specific configuration for the mechanism at hand gthe usual defaults are applied. |
||
+ | |||
+ | |||
+ | === gss_aqcuire_cred_from() === |
||
+ | |||
+ | Acquires new credentials using the provided store. The store can specify both the actual credentials and/or the credential cache. |
||
+ | In the Krb5 mechanism case it could specify a keytab and a ccache location. |
||
+ | |||
+ | === gss_add_cred_from() === |
||
+ | |||
+ | Same as above but can target a specific mechanism. The credential store need not be mechanism specific and re mains abstract. |
||
+ | |||
+ | === gss_strore_cred_into() === |
||
+ | |||
+ | This is analogous to gss_cred_store() except that a specific credential store can be specified (In the krb5 case generally a ccache file). |
||
+ | |||
+ | === gss_cred_store_element_struct === |
||
+ | |||
+ | A urn/value pair. |
||
+ | Example: |
||
+ | URN = 'ccache' |
||
+ | Value = 'FILE:/tmp/somecc' |
||
+ | |||
+ | === gss_cred_store_struct === |
||
+ | |||
+ | A counter and an array of elements. |
Revision as of 15:48, 3 May 2012
This project is about adding a set of extensions to GSSAPI to more easily handle credentials in a mechanism agnostic way.
Contents
Background
During the development of the GSS-Proxy project in connection with the Projects/ProxyGSSAPI project it became evident that the application implementing the proxy needs to be able to be configured to use different credentials depending on what application is connecting to the proxy. Using the normal defaults of GSSAPI is not possible because the proxy application does not run in the same security context as the proxied application and it may run multiple concurrent tasks on behalf of different applications with different trust/credentials.
A method to pass a set of default credentials to use on behalf of these application is necessary. This method should not be mechanism specific, as the proxy tries to be mechanism agnostic as much as possible.
In this light a 'Credential Stores' Extension has been proposed on the Kitten IETF Mailing list.
Requirements
- Abstract interface to pass credential store configuration to GSSAPI mechanisms.
- The credentials need to be specified in configuration files so no security sensitive information (like passwords) must be exposed there.
- Mechanisms can define their own key/value pairs
- New Key/Value pairs can be easily added in future
- The actual API need not to know how to interpret Key/Value pairs, they are passed directly to mechanisms
Architecture
The exposed public functions are paired with an analogous one in the mechglue SPI to give mechanisms access to the Credentials Store. The implementation provides functions only for mechanisms for which it makes sense, initially krb5 but not SPNEGO
New APIs
Functions:
- GSS_Acquire_cred_from()
- GSS_Add_cred_from()
- GSS_Store_cred_into()
Structures:
- gss_cred_store_element_struct
- gss_cred_store_struct
If the cred store structure does not contain a mechanism specific configuration for the mechanism at hand gthe usual defaults are applied.
gss_aqcuire_cred_from()
Acquires new credentials using the provided store. The store can specify both the actual credentials and/or the credential cache. In the Krb5 mechanism case it could specify a keytab and a ccache location.
gss_add_cred_from()
Same as above but can target a specific mechanism. The credential store need not be mechanism specific and re mains abstract.
gss_strore_cred_into()
This is analogous to gss_cred_store() except that a specific credential store can be specified (In the krb5 case generally a ccache file).
gss_cred_store_element_struct
A urn/value pair. Example: URN = 'ccache' Value = 'FILE:/tmp/somecc'
gss_cred_store_struct
A counter and an array of elements.