From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: Simo Sorce <simo@redhat.com>
Cc: Nico Williams <nico@cryptonector.com>,
dhowells <dhowells@redhat.com>,
linux-nfs@vger.kernel.org, krbdev <krbdev@mit.edu>
Subject: Re: GSSAPI Proxy initiative
Date: Thu, 03 Nov 2011 17:46:46 -0400 [thread overview]
Message-ID: <1320356806.18396.149.camel@lade.trondhjem.org> (raw)
In-Reply-To: <1320355818.7734.685.camel@willson.li.ssimo.org>
On Thu, 2011-11-03 at 17:30 -0400, Simo Sorce wrote:
> On Thu, 2011-11-03 at 15:53 -0500, Nico Williams wrote:
> > On Thu, Nov 3, 2011 at 3:39 PM, Trond Myklebust
> > <Trond.Myklebust@netapp.com> wrote:
> > >> What I had in mind was something like PAGs or keyrings. Or, to be
> > >> much more specific, search for my name and the string "credentials
> > >> process groups" -- a PAG on steroids.
> > >>
> > >> The idea is that the IPC peer can observe the other's
> > >> PAG/keyring/CPG/whatever and use that to find the correct credentials
> > >> (authorization is still required though).
> > >
> > > Linux already has per-user, per-process and per-thread keyrings which
> > > offer a high security storage solution for keys. The problem with those
> > > is that they are difficult to use in an asynchronous context when the
> > > original user's process/thread context is no longer available to us.
> >
> > For async IPC methods you'd want something like SCM_CREDENTIALS to
> > give you the keyring/PAG/whatever information you need abou thte peer.
> > The ancillary data should be complete enough that you can past the
> > client process/thread being dead, although it's nice to not have to
> > process a request from a dead entity...
> >
> > For sync IPC you need something like door_ucred(). And for sync IPC
> > you can make sure to get SIGCANCEL or equivalent when the client gets
> > canceled (this is the default in doors).
> >
> > > Ideally, though, that's what we'd like to see used.
> >
> > Agreed!
>
> I have discussed use of the keyring in a private discussion before
> starting the thread, and it turns out the keyring has a number of
> limitations that makes it probably unsuitable for this project.
>
> As an upcall mechanism it has some limitations on the size of the
> payloads, IIRC limited to a page, and that means that you cannot pass
> blobs carrying big kerberos tickets.
>
> As a storage mechanism for credential caches it also has size limits.
> Currently the limit is 20k per user which is not even enough to hold a
> single ticket in some cases. This limit can be increased of course, but
> then you end keeping around a huge amount of unswappable ram depending
> on the number of users.
Allowing keys to be swapped out is a really really really really really
really bad idea when your kernel depends upon them being available as
part of the memory reclaim process, as would be the case when you are
talking about NFS, CIFS or AFS dirty page writebacks.
> So for long term storage of credentials we will probably not rely on
> kernel keyrings, nor as an upcall mechanism.
So this would be an argument for scrapping keyrings from the kernel? If
they're not good for kerberos tickets, why would we want to keep them at
all?
What would you replace them with, given the above requirements
concerning swapping?
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@netapp.com
www.netapp.com
next prev parent reply other threads:[~2011-11-03 21:46 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-02 21:26 GSSAPI Proxy initiative Simo Sorce
2011-11-02 23:05 ` Simo Sorce
2011-11-03 3:24 ` Nico Williams
2011-11-03 14:58 ` Simo Sorce
2011-11-03 16:05 ` Nico Williams
2011-11-03 16:31 ` Simo Sorce
2011-11-03 18:57 ` Nico Williams
2011-11-03 20:39 ` Trond Myklebust
2011-11-03 20:53 ` Nico Williams
2011-11-03 21:30 ` Simo Sorce
2011-11-03 21:46 ` Trond Myklebust [this message]
2011-11-03 22:00 ` Simo Sorce
2011-11-03 22:16 ` Myklebust, Trond
2011-11-03 23:47 ` Simo Sorce
2011-11-04 14:34 ` J. Bruce Fields
2011-11-04 15:13 ` Nico Williams
2011-11-04 15:36 ` Nico Williams
2011-11-04 15:55 ` Adamson, Andy
2011-11-04 16:20 ` Nico Williams
2011-11-04 16:25 ` Simo Sorce
2011-11-04 16:43 ` Nico Williams
2011-11-04 16:30 ` Adamson, Andy
2011-11-04 16:42 ` Nico Williams
2011-11-04 14:51 ` Nico Williams
2011-11-03 21:58 ` Tom Yu
2011-11-03 15:42 ` Nico Williams
2011-11-03 16:10 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1320356806.18396.149.camel@lade.trondhjem.org \
--to=trond.myklebust@netapp.com \
--cc=dhowells@redhat.com \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=nico@cryptonector.com \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).