Refreshing SSH forwarded/delegated credentials

sxw@inf.ed.ac.uk sxw at inf.ed.ac.uk
Sat Jun 4 17:09:16 EDT 2005


On Sat, 4 Jun 2005, Buck Huppmann wrote:

> anybody know if somebody's working on the issue of how to refresh cred-
> entials forwarded/delegated to a an SSH session? 

I occasionally start thinking about it, but I haven't yet got as far as
writing any code. There's a lot of dependencies here, and the use of 
privsep within the OpenSSH code isn't going to make anything any easier.
Nicolas Williams started the train of thought outlined below...

This plan will only work with key exchange (as opposed to 
userauth). Short of designing new protocol pieces, I don't think that 
there's any easy way of doing this through the userauth layer.
If you're using GSSAPI seriously you're probably going to want keyexchange 
anyway.

The idea is that the client forces a SSH session rekey when it sees the 
credentials on its system being renewed. This rekeying will cause a new
GSS context to be created between client and server, allowing the new
credentials to be delegated to the server. The server then saves these 
credentials out into the same credentials cache as it originally created 
for the user.

There are a number of complications:
 *) You need to navigate your way through the privsep layer
 *) What happens if the user has used 'kinit' to renew the credentials 
    early, or to obtain a different set of credentails, but using a cache 
    of the same name?
 *) How can you renew any additional credentials that PAM has obtained 
    for the user (AFS tokens, kx509 credentials &c.)?
 *) Rekeying a ssh session with gss can be risky. If the rekeying fails
    for any reason, then the server MUST terminate the session.
 *) PAGs/keychains and privsep will _really_ complicate the above as the
    process which receives the user's credentials probably won't be in
    the same group as the login shell.

The other, broader issue, is of minimizing the size of the patch to 
OpenSSH, so its still feasible to apply it each time. If the above could 
be implemented in a low impact manner, then it would probably be doable...

Cheers,

Simon.



More information about the Kerberos mailing list