logo_kerberos.gif

Projects/Keyring collection cache

From K5Wiki
< Projects
Revision as of 17:50, 27 September 2013 by Ghudson (talk | contribs)

Jump to: navigation, search
This project is targeted at release 1.12.

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2013-10-04.

Comments can be sent to krbdev@mit.edu.


Scope

Augment the KEYRING ccache type to support collections, and to support a new type of key which persists across multiple user login sessions until the ticket expires.

Background and previous work

The MIT Kerberos code base already include a KEYRING ccache type that uses kernel keyrings to implement a credential cache modeled after the FILE cache type. This cache type has 3 important limitations:

  • It uses only session, process, or thread based keyrings. This means the cache cannot survive a user logout and cannot be shared between different sessions of the same user.
  • It uses the classic "user" key type. The "user" key type is limited in size because it uses non-swappable memory, so it has issues storing large tickets (like those including MS-PAC authdata) due to strict default quotas on this type of key.
  • It cannot represent cache collections.

Current keyring cache format

The current implementation creates a new keyring named after the residual and links it to either the session, process, or thread special keyrings.

This keyring contains one special key named "__krb5_princ__" which contains the cache principal name. Each credential is stored as a separate key in the same keyring. The __krb5_princ__ key and the credential keys use the "user" key type, and contain serialized representations of the principal name or credential as appropriate.

Example: KRB5CCNAME=KEYRING:testccache

session
 \_testccache
    \_ __krb5_princ__
    \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
    \_ krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.KERBEROS.ORG\@TEST.KERBEROS.ORG@X-CACHECONF
    \_ krb5_ccache_conf_data/pa_type/krbtgt\/TEST.KERBEROS.ORG\@TEST.KERBEROS.ORG@X-CACHECONF
    \_ HTTP/http.test.kerberos.org@TEST.KERBEROS.ORG
    \_ ...

Design components

Linux Kernel improvements

Addition of a new key type "big_key" that allows us to create keys up to 1MiB in size, backed by internal kernel tmpfs, allowing the contents to be swapped out to disk (unlike most other keyrings, which remain in unswappable kernel memory).

Creation of a new public interface, keyctl_get_persistent. This API allows the user or a privileged process to access keys for a specified UID. This keyring is not tied to a session, so it can outlive a login session if there is a need to perform actions while not logged in, via a cron scripts or similar. This kernel keyring is created automatically on the first request if it does not yet exist.

Proposed patches by David Howells with explanatory comments on the kernel krbcache keyring: http://mailman.mit.edu/pipermail/krbdev/2013-August/011650.html (note now renamed to 'persistent')

Augmenting the current KEYRING cache type

The current keyring ccache type accepts the following residual forms:

  • KEYRING:<name>
  • KEYRING:process:<name>
  • KEYRING:thread:<name>

where <name> is an arbitrary string. The first form implies the use of a session keyring.

libkrb5 will now accept new forms for the residual string:

  • KEYRING:session:<name>
  • KEYRING:user:<name>
  • KEYRING:persistent:<uidnumber>

All residual forms will support cache collections.

The session and user keyrings use the session and user keyrings respectively. The new "persistent" form uses a special keyring as provided by the new keyutils call keyctl_get_persistent(). It requires support from the kernel for this new type; otherwise, it will fall back to the user keyring and the "user" key type.

Individual caches within the collection are identified and displayed by appending the specific cache keyring name to the main residual. For example:

 KEYRING:persistent:123:krb_ccache_WE324ffdX

New credential cache collection schema

A collection is represented with a keyring named "_krb_<name>", where <name> is from the residual string. The collection keyring links to a cache keyring for each cache within the collection, and also to a key named "krb_ccache:primary" of type "user", containing a serialized representation of the primary cache name.

Cache keyrings are named "krb_ccache_XXXXXX", where XXXXXX is a unique string. The format of a cache keyring is unchanged.

For the "thread", "process", "session", and "user" residual forms, the collection keyring is named "_krb_<name>" (where <name> is from the residual string) and is linked into the appropriate special keyring. For the "persistent" form, the cache keyring is named "_krb" and is linked to the persistent keyring.

When the classic session residual form ("KEYRING:<name>") is used, the first cache is handled specially. It is named with just the <name> from the residual string, and is linked to both the session keyring and to the "_krb_<name>" collection keyring.

Examples:

  • KRB5CCNAME=KEYRING:testccache
session
 \_ testccache
     \_ __krb5_princ__
     \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
     \_ ...
 \_ _krb_testccache
     \_ testccache <link to the key above>
     \_ krb_ccache_WQRQWTQ3
     \_ ...
     \_ krb_ccache:primary (points to testccache at collection cration)
  • KRB5CCNAME=KEYRING:user:testusercc
user
 \_ _krb_testusercc
     \_ krb_ccache_12WEF43f2
         \_ __krb5_princ__
         \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
         \_ ...
     \_ krb_ccache_fdgsER324
     \_ ...
     \_ krb_ccache:primary (krb_ccache_12WEF43f2)
  • KRB5CCNAME=KEYRING:persistent:123
_persistent.123
 \_ _krb
     \_ krb_ccache_12WEF43f2
         \_ __krb5_princ__
         \_ krbtgt/TEST.KERBEROS.ORG@TEST.KERBEROS.ORG
         \_ ...
     \_ krb_ccache_fdgsER324
     \_ ...
     \_ krb_ccache:primary (krb_ccache_12WEF43f2)