krb5-1.12 is released
Greg Hudson
ghudson at MIT.EDU
Wed Jan 8 17:20:30 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/11/2013 03:37 AM, Eray Aslan wrote:
> *** Failure: Output not expected for keyring Expected output:
>
> KEYRING:session:/tmp/krb5-1.12/lib/krb5/ccache/testdir:tkt1
> KEYRING:session:/tmp/krb5-1.12/lib/krb5/ccache/testdir:tkt2
> KEYRING:session:/tmp/krb5-1.12/lib/krb5/ccache/testdir:tkt3
>
> Actual output:
We finally figured this out. It boils down to two things:
1. In many typical Linux configurations (outside of Fedora), the PAM
session stack does not use pam_keyinit or equivalent, so processes do
not have an explicit session keyring.
2. In this situation, add_key(..., KEY_SPEC_SESSION_KEYRING) behaves
in a manner I don't agree with. Instead of adding a key to the user
session default keyring (as I would expect from the documentation at
https://www.kernel.org/doc/Documentation/security/keys.txt), it
creates a fresh session keyring scoped to the process and its
descendants. That keyring goes away when the process exits, so the
next process can't see the created keys in the session keyring.
After some discussion, I convinced the maintainer of the Linux keyring
code to change the semantics of keyring writing so that the user
default session keyring is used when no explicit session keyring is
present. There is also a relatively simple workaround that we can add
for existing kernels (basically, "if @s == @us, add keys to @us
instead of @s"), which is already used by aklog.
Arguably we should also be lobbying Debian and Ubuntu and Gentoo to
fix #1, so that session keyrings have the intended semantics.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLNzy4ACgkQz+KPxyU6q4dWvACdHBdUqOaGlp8+yjRAFUKwn44G
awEAoIEP1aiJF97VQEHK2Vlqdqo3eUp4
=itS5
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list