Refreshing SSH forwarded/delegated credentials
sxw@inf.ed.ac.uk
sxw at inf.ed.ac.uk
Sat Jun 4 17:09:16 EDT 2005
On Sat, 4 Jun 2005, Buck Huppmann wrote:
> anybody know if somebody's working on the issue of how to refresh cred-
> entials forwarded/delegated to a an SSH session?
I occasionally start thinking about it, but I haven't yet got as far as
writing any code. There's a lot of dependencies here, and the use of
privsep within the OpenSSH code isn't going to make anything any easier.
Nicolas Williams started the train of thought outlined below...
This plan will only work with key exchange (as opposed to
userauth). Short of designing new protocol pieces, I don't think that
there's any easy way of doing this through the userauth layer.
If you're using GSSAPI seriously you're probably going to want keyexchange
anyway.
The idea is that the client forces a SSH session rekey when it sees the
credentials on its system being renewed. This rekeying will cause a new
GSS context to be created between client and server, allowing the new
credentials to be delegated to the server. The server then saves these
credentials out into the same credentials cache as it originally created
for the user.
There are a number of complications:
*) You need to navigate your way through the privsep layer
*) What happens if the user has used 'kinit' to renew the credentials
early, or to obtain a different set of credentails, but using a cache
of the same name?
*) How can you renew any additional credentials that PAM has obtained
for the user (AFS tokens, kx509 credentials &c.)?
*) Rekeying a ssh session with gss can be risky. If the rekeying fails
for any reason, then the server MUST terminate the session.
*) PAGs/keychains and privsep will _really_ complicate the above as the
process which receives the user's credentials probably won't be in
the same group as the login shell.
The other, broader issue, is of minimizing the size of the patch to
OpenSSH, so its still feasible to apply it each time. If the above could
be implemented in a low impact manner, then it would probably be doable...
Cheers,
Simon.
More information about the Kerberos
mailing list