ucred_t and kerberos

Nicolas Williams Nicolas.Williams at sun.com
Thu Jan 11 00:02:42 EST 2007

[Cc'ed security-discuss at opensolaris.org]

On Wed, Jan 10, 2007 at 07:26:17PM -0500, Jeffrey Hutzelman wrote:
> On Monday, January 08, 2007 10:23:44 PM -0500 Marcus Watts <mdw at umich.edu> 
> wrote:
> > So, in tomorrow's world, let us suppose we had (say) a linux machine, a
> > windows machine, & a sun machine, all happily exchanging ucred_t's via
> > tcp.  How can they each know that the ucred_t that they receive hasn't
> > been tampered with on the wire (after all, streams are internal to
> > solaris; on the wire it's pure tcp/ip).  What extension to tcp allows
> > this traffic to pass?
> If I know Nico, the answers to this and several of the other questions you 
> pose all involve IPsec.

You know me well.  But how I would do it says little about how
OpenSolaris will since I'm not involved in any project relating to this.

There are basically two ways to implement getpeerucred() for non-local

 - using an out-of-band callback to the peer (think secure IDENT)
 - using an out-of-band authentication scheme for IPsec (think IKE, KINK)

The IKE approach might involve either using per-user credentials
(smartcards + PKIX certs) or IKEv2 extensions for asserting an ID to be
returned by getpeerucred().  It's not clear to me that RFC4301 supports
a notion of multi-user systems using different user credentials for
different [per-flow] SAs, though it seems to me that it certainly should
be workable...  _BUT_ a solution that doesn't require per-user
credentials will not doubt be needed in some environments, mainly
because it'd be easier to deploy.



More information about the krbdev mailing list