logo_kerberos.gif

Difference between revisions of "Projects/Interposer Mechanism"

From K5Wiki
Jump to: navigation, search
Line 1: Line 1:
 
{{project-early}}
 
{{project-early}}
  +
  +
This project is about creating a mechanism by which it is possible to intercept accepting and initializing a security context at the mechglue layer so that any mechanism can be ideally proxied to a separate application potentially running in a different security context.
   
 
= Background =
 
= Background =

Revision as of 14:44, 2 October 2012

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project is about creating a mechanism by which it is possible to intercept accepting and initializing a security context at the mechglue layer so that any mechanism can be ideally proxied to a separate application potentially running in a different security context.

Background

During the development of the GSS-Proxy project in connection with the Projects/ProxyGSSAPI a new GSSAPI Mechanism interface has emerged. We call this kind of mechanism an Interposer Mechanism as it intercept all function calls for a specific mechanism.

The Interposer Mechanism instructs the mechglue layer on what mechanisms it wants to interpose. Once a mechnism is interposed the mechglue will always call the interposer for any function related to interposed mechanism.

The interposer plugin is responsible for handling the requested functionality, it can proxy it to another process (for example to the GSS-Proxy daemon) or can short-circuit it back to the mechglue in order to call the original mechanism handler.

Requirements

The Interposer mechanism must be able to intercept any mechanism function. The Interposer mechanism must also be able to call back into the mechglue in order to execute code using the original mechanism. The interposer mechanism should be completely transparent to applications, in that pure gssapi application should not need any modification in order to work with the interposer mechanism nor need to issue any special call to use the interposer functionality.