Solaris ssh pam_krb

Nicolas Williams Nicolas.Williams at sun.com
Mon Apr 3 15:08:46 EDT 2006 

On Mon, Apr 03, 2006 at 02:27:36PM -0400, Jeffrey Hutzelman wrote:
> On Monday, April 03, 2006 12:56:34 PM -0500 Nicolas Williams 
> <Nicolas.Williams at sun.com> wrote:
> 
> >That I'd rather count references to network credentials from sessions
> >than from processes that might have done a seteuid() to temporarily be
> >like you.  But maybe this is wrong anyways.
> 
> I guess I'm not sure what you mean by "references here".  PAG's are 
> intended as a better way to select which credentials to use than looking at 
> the UID, since UID's have rather narrow meaning and a user can't just 
> decide he wants a new one for this session. :-)
> 
> But if you're talking about reference counting on credentials, then what 

I am.

> you do depends on your model.  If you want to tie credentials to an open 
> file, you need to refcount based on the file, not the UID or PAG.  [...]

File descriptors in Solaris already retain a reference to the cred_t
used to open the file.  So "UID" or "PAG" is not relevant here.  Neither
is "processes with that UID or PAG."  What is relevant is "references to
that UID or PAG from cred_t instances."

> Incidentally, AFS refcounts credentials, but only with regards to "active" 

So does Solaris.  I believe one must in order to support various
standard behaviours (e.g., file descriptor passing over IPC +
distributed filesystems [NFS, AFS, CIFS, whatever]).

> use, like establishing a new connection (actually, just for creating the 
> new connection.  The "security object" which contains the ticket has its 
> own refcounting that the RPC layer does).  On most platforms we couldn't 
> get notified on every process creation or exit even if we wanted to, and 
> the OS doesn't know about our PAG's so it can't tell us when a PAG is no 
> longer in use.  So, we can't refcount credentials, and instead we do a 
> periodic mark-and-sweep, destroying any credentials belonging to a PAG 
> which no longer contains any processes.  The PAG itself has no associated 
> data structure; it's just a number.

Right.  But I'd like the OS to provide a "fall to zero refcount"
facility for either "cred_t instances referencing some UID" or "cred_t
instances referencing some PAG."

Nico
--

More information about the Kerberos mailing list