logo_kerberos.gif

Difference between revisions of "Projects/Keytab initiation"

From K5Wiki
Jump to: navigation, search
(Code components)
(Code components)
Line 33: Line 33:
 
Initial credentials obtained through automated keytab initiation will be cached in the default ccache or, if the default ccache type supports it, the associated collection. The new ccache will remember, using ccache config entries, which keytab name was used to obtain the credentials and the time of the last attempt to refresh them (if any). The gss-krb5 initiator code will attempt to refresh the cache with the keytab again if (1) the credentials are at least halfway to being expired, and (2) the last recorded attempt to refresh the cache was more than a minimum delta of time in the past.
 
Initial credentials obtained through automated keytab initiation will be cached in the default ccache or, if the default ccache type supports it, the associated collection. The new ccache will remember, using ccache config entries, which keytab name was used to obtain the credentials and the time of the last attempt to refresh them (if any). The gss-krb5 initiator code will attempt to refresh the cache with the keytab again if (1) the credentials are at least halfway to being expired, and (2) the last recorded attempt to refresh the cache was more than a minimum delta of time in the past.
   
=== Code components ===
+
=== Code changes ===
   
 
In gss-krb5:
 
In gss-krb5:
   
* acquire_init_creds: if #7160 is fixed, credentials should be considered available if the default client keytab has content. If a desired_name is specified and no credentials for it are available in the default ccache [collection], the default client keytab should be searched for the specified principal.
+
* acquire_init_creds: if #7160 is fixed, credentials should be considered available if the default client keytab has content. If a desired_name is specified and no credentials for it are available in the default ccache (or collection), search the default client keytab for desired_name and, if it is found, prep the default ccache (or a new ccache in the collection) for keytab initiation.
   
* kg_resolve_cred: (TBD)
 
  +
* kg_cred_resolve: if client_princ is determined by krb5_cc_select but no cache is available, search the default client keytab for that principal and prep a ccache as above. (TBD: obviously this should be factored out into a helper; figure out how that fits in with scan_ccache and prep_ccache.)
   
* get_credentials: (TBD)
 
  +
* get_credentials: before calling krb5_get_credentials, check the cache for config variables indicating it's time to try a refresh with the client keytab. If so, and this is not an IAKERB cred, attempt the refresh. If it fails, record the timestamp of the last refresh. If krb5_get_credentials fails with KRB5_CC_NOTFOUND and this is not an IAKERB cred, try to get credentials with the default client keytab. (TBD: some of this logic should be in private libkrb5 interfaces for use by FAST ccaches.)
  +
  +
* iakerb_get_initial_state: similar logic to the above, but set up for an IAKERB AS request instead of actually getting initial credentials with the default client keytab.
   
 
(To be finished)
 
(To be finished)

Revision as of 00:12, 12 June 2012

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project is to add support for automatically getting credentials for gss-krb5 security context initiation using a keytab.

Overview

To initiate a gss-krb5 security context, one needs credentials (typically a TGT). During a user login session, these credentials are typically obtained ahead of time by the login system or using kinit (or on Windows or OSX, by bringing up a UI prompt from inside the GSSAPI functions). When a service wishes to communicate with another service, it uses its keytab to acquire credentials. Currently, it is necessary to use kinit -k or k5start out of band in order to ensure that credentials are available for the server's use. This project is to automate this process within the GSSAPI calls.

Requirements

1. The system should work, perhaps with some external configuration, for a typical caller which invokes gss_init_sec_context() with no initiator cred (or, equivalently, acquires an initiator cred with no desired name).

2. The system should also behave as well as possible when the caller does supply a desired name, or when krb5_cc_select() can deduce a client principal from the target name. In this case, multiple principals from the same keytab might be used for different initiations.

3. The system should work well with credential cache collections (see Projects/Client_principal_selection). For example, an application should be able to, from the same process, initiate two security contexts with different desired names, using the same keytab, and have the resulting credentials both be cached within the collection (assuming the default ccache is collection-enabled).

4. There should be minimal or no surprise. An existing deployment of GSSAPI applications should not begin doing keytab-based initiation and write to the default per-uid ccache without reason to believe this is intended.

5. Credentials obtained this way should be cached. Otherwise, applications which initialize many security contexts (such as HTTP clients) could generate large numbers of unnecessary AS and TGS requests.

It is not required for this system to work with initiators like krlogin which directly use libkrb5. However, some of the underlying components may be useful for FAST armor ccaches, so putting reusable parts of the code in libkrb5 is desirable.

Design

Default client keytab

libkrb5 provides an API for discovering the default keytab (krb5_kt_default()). The underlying mechanism for discovering this keytab may be an environment variable (KRB5_KTNAME), a profile relation (default_keytab_name under libdefaults), or a hardcoded default (/etc/krb5.keytab). This keytab is currently used, absent application input the contrary, for accepting security contexts with gss_accept_sec_context or krb5_rd_req.

Automated keytab initiation will not make use of this keytab. Instead, there will be a new complementary "default client keytab", obtained with krb5_kt_client_default(), with its own set of underlying discovery mechanisms. Unless an administrator sets up a client keytab, automated keytab initiation will not take place, thus minimizing surprise.

Caching and refreshing

Initial credentials obtained through automated keytab initiation will be cached in the default ccache or, if the default ccache type supports it, the associated collection. The new ccache will remember, using ccache config entries, which keytab name was used to obtain the credentials and the time of the last attempt to refresh them (if any). The gss-krb5 initiator code will attempt to refresh the cache with the keytab again if (1) the credentials are at least halfway to being expired, and (2) the last recorded attempt to refresh the cache was more than a minimum delta of time in the past.

Code changes

In gss-krb5:

  • acquire_init_creds: if #7160 is fixed, credentials should be considered available if the default client keytab has content. If a desired_name is specified and no credentials for it are available in the default ccache (or collection), search the default client keytab for desired_name and, if it is found, prep the default ccache (or a new ccache in the collection) for keytab initiation.
  • kg_cred_resolve: if client_princ is determined by krb5_cc_select but no cache is available, search the default client keytab for that principal and prep a ccache as above. (TBD: obviously this should be factored out into a helper; figure out how that fits in with scan_ccache and prep_ccache.)
  • get_credentials: before calling krb5_get_credentials, check the cache for config variables indicating it's time to try a refresh with the client keytab. If so, and this is not an IAKERB cred, attempt the refresh. If it fails, record the timestamp of the last refresh. If krb5_get_credentials fails with KRB5_CC_NOTFOUND and this is not an IAKERB cred, try to get credentials with the default client keytab. (TBD: some of this logic should be in private libkrb5 interfaces for use by FAST ccaches.)
  • iakerb_get_initial_state: similar logic to the above, but set up for an IAKERB AS request instead of actually getting initial credentials with the default client keytab.

(To be finished)