ucred_t and kerberos
Nicolas.Williams at sun.com
Thu Jan 11 00:02:42 EST 2007
[Cc'ed security-discuss at opensolaris.org]
On Wed, Jan 10, 2007 at 07:26:17PM -0500, Jeffrey Hutzelman wrote:
> On Monday, January 08, 2007 10:23:44 PM -0500 Marcus Watts <mdw at umich.edu>
> > So, in tomorrow's world, let us suppose we had (say) a linux machine, a
> > windows machine, & a sun machine, all happily exchanging ucred_t's via
> > tcp. How can they each know that the ucred_t that they receive hasn't
> > been tampered with on the wire (after all, streams are internal to
> > solaris; on the wire it's pure tcp/ip). What extension to tcp allows
> > this traffic to pass?
> If I know Nico, the answers to this and several of the other questions you
> pose all involve IPsec.
You know me well. But how I would do it says little about how
OpenSolaris will since I'm not involved in any project relating to this.
There are basically two ways to implement getpeerucred() for non-local
- using an out-of-band callback to the peer (think secure IDENT)
- using an out-of-band authentication scheme for IPsec (think IKE, KINK)
The IKE approach might involve either using per-user credentials
(smartcards + PKIX certs) or IKEv2 extensions for asserting an ID to be
returned by getpeerucred(). It's not clear to me that RFC4301 supports
a notion of multi-user systems using different user credentials for
different [per-flow] SAs, though it seems to me that it certainly should
be workable... _BUT_ a solution that doesn't require per-user
credentials will not doubt be needed in some environments, mainly
because it'd be easier to deploy.
More information about the krbdev