Solaris ssh pam_krb

Jeffrey Hutzelman jhutz at cmu.edu
Mon Apr 3 14:27:36 EDT 2006 


On Monday, April 03, 2006 12:56:34 PM -0500 Nicolas Williams 
<Nicolas.Williams at sun.com> wrote:

> That I'd rather count references to network credentials from sessions
> than from processes that might have done a seteuid() to temporarily be
> like you.  But maybe this is wrong anyways.

I guess I'm not sure what you mean by "references here".  PAG's are 
intended as a better way to select which credentials to use than looking at 
the UID, since UID's have rather narrow meaning and a user can't just 
decide he wants a new one for this session. :-)

But if you're talking about reference counting on credentials, then what 
you do depends on your model.  If you want to tie credentials to an open 
file, you need to refcount based on the file, not the UID or PAG.  OTOH, if 
you do what AFS does, which is "use whatever credentials you have at the 
time of the access", then you don't need that granularity of refcounting. 
Of course, that may produce surprising results if, for example, you pass a 
file descriptor to an unrelated process expecting to be lending your access 
rights to the file to the other process.  But it works OK for us.

Incidentally, AFS refcounts credentials, but only with regards to "active" 
use, like establishing a new connection (actually, just for creating the 
new connection.  The "security object" which contains the ticket has its 
own refcounting that the RPC layer does).  On most platforms we couldn't 
get notified on every process creation or exit even if we wanted to, and 
the OS doesn't know about our PAG's so it can't tell us when a PAG is no 
longer in use.  So, we can't refcount credentials, and instead we do a 
periodic mark-and-sweep, destroying any credentials belonging to a PAG 
which no longer contains any processes.  The PAG itself has no associated 
data structure; it's just a number.



>> > PAGs, like group memberships, do not, IMO, make a good access control
>> > on process tracing, and they are orthogonal to [local] filesystem
>> > access controls.  It would be rather surprising if one could not
>> > trace/debug one's processes from different login sessions.
>>
>> It would not be surprising if that's what you were expecting.
>
> Noone expects the Spanish Inquisition today...

:-)



>>                                                                But let's
>> leave the issue of paranoid people aside for a moment, on concentrate on
>> PAG's as an identity selection mechanism.  You're right; that's
>> essentially  how they are used in AFS today, though in a roundabout way.
>> Essentially,  we use PAG's to separate management and use of credentials
>> between  sessions.  So a user can have multiple sessions with different
>> PAG's, and  they don't interfere with each other.  He can create a new
>> PAG and set  credentials for a different identity, and processes in the
>> new PAG get the  new identity while processes in the old PAG get the old
>> one.
>>
>> Now, the issue is that when you're talking about a caching distributed
>> filesystem, your identity affects not only what credentials are used to
>> establish connections to fileservers on your behalf, but also what you
>> are  allowed to do with cached data and connections.  For example...
>
> Yes, clearly, but this doesn't make PAGs a process group separation
> feature *locally*.  On the wire your PAGs look as though they were
> different identities; locally they are not.

Sure.  But it turns out to be incredibly useful to have "weak" separation, 
in which you have to go to some effort to use an identity other than the 
one associated with your own PAG.  When you involve human users or complex 
software build processes, the principle of least privilege becomes fairly 
important.

My point is that in order to make this work right, the (kernel-mode) cache 
manager must be able to find out what "AFS PAG" a process belongs to.  If 
you have simple PAG's, then we make "AFS PAG's" congruent to those and 
we're done.  If you have multi-app PAG's, then it gets harder.  I just 
don't want it to be so hard that I have to do at least one upcall to 
user-mode for every vnode or file op on a file in AFS.



>> Now, the thing that makes PAG's more than just identity selection is
>> that  you can't arbitrarily select a PAG -- you can use the one you
>> have, or ask  for a new (empty) one, but you can't pick up one
>> arbitrarily and use it.
>
> It's trivial to implement this, but we could also allow one to join
> arbitrary PAGs that one also owns (i.e., label PAGs with the euid [or
> ruid?] of the process that creates them and let the same user's other
> processes join any PAGs that user owns).

Yes, you could do that.  Those wouldn't be the same semantics as AFS, but 
that's not necessarily a problem.  It _would_ be very similar to the 
semantics of Kerberos file ccaches, which can also be useful.



> I'm willing to consider being able to "join PAGs one owns" (and then
> dismiss this as an unnecessary complication).

I'm not sure what to think about this.  Personally, I make fairly heavy use 
of the idea that I can pick up an existing ccache owned by me and use it. 
But I also suspect there are people who would think this was a great 
badness for AFS PAG's.  I suppose it wouldn't be all that hard to allow 
PAG-joining to be disabled on a system-wide basis.




>
>>                       but the people who are really paranoid will do
>> something about it, perhaps by disabling tracing altogether (along with
>> dtrace, and the ability to load kernel modules or touch kernel memory in
>> any way, etc, etc, etc).
>>
>> Interestinly, while PAG's don't directly provide process group separate,
>> it  occurs to me that given the ability for in-kernel code to determine
>> a  process's PAG, they could be used to _implement_ stronger session
>> separation.  I don't know enough about the internals of Solaris, but I
>> bet  I could write a security module for Linux that did exactly this,
>> using AFS  PAG's.
>
> A module?  On Solaris you'd have to change a variety of existing
> functions, like secpolicy*().  Would it be much easier to do this in
> Linux?

Yes, to some extent.  Linux has a pluggable security module framework, in 
which the registered security module is called in various places to 
determine if an operation is allowed, what its effects will be, and/or 
whether there are side-effects.  I'm afraid the placement of such hooks is 
a little haphazard and probably sparser than it should be, but I believe 
there are enough that I could prevent processes in different PAG's from 
tracing each other.

-- Jeff

More information about the Kerberos mailing list