krb5 context initialization dilema
Zhanna Tsitkov
tsitkova at MIT.EDU
Wed Feb 22 14:17:53 EST 2012
Hi,
During krb5 library context initialization an attempt to retrieve some
values from libdefaults section of the configuration file is made. It
appears that only in three out of ten cases we verify if the reading
of the values from the configuration file was successful. The
attributes that we check the profile_get return code are:
allow_weak_crypto,
ignore_acceptor_hostname,
plugin_base_dir,
We ignore any errors coming from the misconfiguration of the following
attributes:
clockskew,
kdc_req_checksum_type,
ap_req_checksum_type,
safe_checksum_type,
kdc_timesync,
kdc_default_options,
ccache_type.
Encryption types are not read during init_context time.
We have few options here how to deal with this issue.
The first option is to leave the code alone, but to report the
configuration errors (if any) via trace logging mechanism. It is good
for the administrators who are OK with the loose, somewhat inaccurate
configuration, as soon as nothing seemed to be broken - at least at
the first glance. Eventually, they may want to turn on the trace
logging, check the errors reported during library context
initialization and fix them. The problem here is that it might be too
late...
The second option is to report the configuration error as a context
initialization error, and via trace logging. We already fail
context creation if the problem is encountered for three attributes -
allow_weak_crypto, ignore_acceptor_hostname and plugin_base_dir. So
failing for the other seven would not only add a consistency to the
context initialization code, but would make it cleaner. This approach
would appeal to the administrators who strongly believe in the power
of configuration ;) , when configuration must not be ignored. It
would also allow earlier error detection if misconfiguration happens.
Finally, the third option is do not attempt to retrieve these seven
"unverified" values during context initialization and read/cache them
on-demand, when they are needed.
Please, share your preferences regarding this issue.
Thanks,
Zhanna
Zhanna Tsitkov
tsitkova at mit.edu
More information about the Kerberos
mailing list