From: Simo Sorce <simo@redhat.com>
To: "Adamson, Andy" <William.Adamson@netapp.com>
Cc: "<steved@redhat.com>" <steved@redhat.com>,
"<linux-nfs@vger.kernel.org>" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH Version 2 0/3] GSSD: Use gss-ctx keys and gsskeyd to sync Kerberos credentials and kernel gss_contexts.
Date: Wed, 20 Nov 2013 15:49:47 -0500 [thread overview]
Message-ID: <1384980587.17044.49.camel@willson.li.ssimo.org> (raw)
In-Reply-To: <096F13FC-A99E-4C19-ACCA-01C244D7420F@netapp.com>
On Wed, 2013-11-20 at 20:35 +0000, Adamson, Andy wrote:
> Hi
>
> As suggested, I approached the Kerberos@mit.edu about the possibility
> of a plugin architecture for libkrb5 credential cache manipulation
> functions so that we could trigger the kernel GSS_context management
> functions.
[..]
>
> It appears that Solution 4: [plugin architecture to libkrb for
> callouts on functions that manipulate kerberos credentials.] is a
> no-go.
>
> I agree that Solution 1: [inotify on FILE credentials] is clunky and
> won't work well.
>
> Solution 2: [integrate with KEYRING credentials] could work if we
> insist that all NFS Kerberos credentials use the KEYRING: - e.g. the
> proposed new 'big-key' type. Note there is no backporting of this
> solution.
Note that solution 2 is semantically identical to solution 4, you are
going to try to guess what user space is doing, based on how it
manipulates caches, and would have the same side effects.
> I think Solution 3: [nfslog/nfslogout interfaces invoked from PAM or
> other login system facility] is a good way to go. Note that a PAM
> based solution where in the PAM would get us most of the way towards
> providing users with a way to login and logout of NFS kerberized
> shares.
>
> Comments on an NFS PAM that will destroy GSS context for a UID upon
> logout?
I prefer 3 too, let it to the login system (whether PAM based or other)
to determine when it is time to destroy credentials, that's the only
component that have a chance of guessing right.
Of course you could also provide a user utility to force a purge.
> Simo - I answered your latest comments below in-line.
[..]
> I think a PAM based solution will get us most of the way there.
Agree.
> > So the way I see it you probably want to keep the tracking in
> > whatever tool you want to use to experiment (say gsskeyd) and only
> > provide a downcall to the kernel that will tell it: destroy any
> > cache for 'uid number (optionally pass in a session id too ?)'.
>
> This is what the gss-ctx keyring destroy method is - a downcall to the
> kernel telling it to destroy all GSS_contexts for a UID.
Why do you need to abuse the keyring interface to implement a syscall ?
Or did I misunderstand what you mean by "telling the kernel to do X" ?
> > This way you can replace the logic of how to keep track of what is
> > going on completely in user space, where it can easily be adjusted
> > and adapted as experience is gained.
> >
> > IE: track it completely in userspace for now and only provide a
> > syscall to kill creds per UID, no tracking on the kernel side.
>
> Yes - I believe that is what the gss-ctx keyring code I wrote does.
A keyring is not a syscall.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
next prev parent reply other threads:[~2013-11-20 20:49 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-22 14:22 [PATCH Version 2 0/3] GSSD: Use gss-ctx keys and gsskeyd to sync Kerberos credentials and kernel gss_contexts andros
2013-10-22 14:22 ` [PATCH Version 2 1/3] GSSD add cc_name to upcall andros
2013-10-22 15:07 ` Simo Sorce
2013-10-22 14:22 ` [PATCH Version 2 2/3] WIP: Add gsskeyd andros
2013-10-23 14:30 ` Steve Dickson
2013-10-23 14:40 ` Weston Andros Adamson
2013-10-23 15:02 ` Adamson, Andy
2013-10-22 14:22 ` [PATCH Version 2 3/3] ANDROS: update gsskeyd to use new /run/user/UID/krb5cc/tgt cache file andros
2013-10-22 15:02 ` [PATCH Version 2 0/3] GSSD: Use gss-ctx keys and gsskeyd to sync Kerberos credentials and kernel gss_contexts Simo Sorce
2013-10-22 15:32 ` Adamson, Andy
2013-10-22 16:09 ` Simo Sorce
2013-10-22 17:00 ` Adamson, Andy
2013-10-22 17:25 ` Simo Sorce
2013-11-20 20:35 ` Adamson, Andy
2013-11-20 20:49 ` Simo Sorce [this message]
2013-11-20 21:21 ` Adamson, Andy
2013-11-20 21:24 ` Adamson, Andy
2013-11-22 19:09 ` Simo Sorce
2013-11-22 20:44 ` Adamson, Andy
2013-11-21 13:37 ` Steve Dickson
2013-11-22 19:11 ` Simo Sorce
2013-11-22 21:28 ` Trond Myklebust
2013-11-22 21:39 ` Simo Sorce
2013-10-22 15:46 ` Weston Andros Adamson
2013-10-22 16:11 ` Simo Sorce
2013-10-22 16:14 ` Weston Andros Adamson
2013-10-22 16:39 ` Adamson, Andy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1384980587.17044.49.camel@willson.li.ssimo.org \
--to=simo@redhat.com \
--cc=William.Adamson@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.