Fedora ticket cache location

Nico Williams nico at cryptonector.com
Thu Jun 7 16:56:52 EDT 2012 

On Thu, Jun 7, 2012 at 3:50 PM, Russ Allbery <rra at stanford.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>
>> The problem is that if you want NFS/AFS/SMB/... to know how to find and
>> use this temporary ccache... how will they do that?  The traditional
>> answers have been:
>
>>  - Solaris NFS -> use per-user default; no temp ccaches, sorry
>>  - AFS -> set PAG, set tokens
>>  - Linux NFS -> use keyrings(?)
>
> I think the only long-term viable way to handle credentials for file
> system access is to create some sort of explicit association between the
> current process or thread and the desired credentials in the kernel, since

And if the process fork()s?  Or if the thread creates a new thread?
Even in the Windows process model, where you can naturally have
different threads in the same process using different access tokens
you have to concern yourself with this (e.g., spawning).

This requires, IMO, that the new association be inheritable.  That's
what makes up a session though: the set of processes sharing the same
session characteristics through inheritance or explicit session
joining.  Session keyrings, on Linux, for example, fulfill this.

> otherwise you have the problem that a user may have multiple credentials
> and you have to guess which ones they want to use for any given operation.
> And will probably guess wrong.
>
> I don't think it's the place of the Kerberos library to try to solve this
> problem, and I don't think a search path is a viable solution to it.  For
> any possible search path, I can give you a use case with a granularity of
> access that can't be represented by it.  (For one particular degenerate
> case, think a threaded Apache server with proxied credentials.)

The OS has to solve this, indeed.  But Kerberos has to use the
corresponding facility.

>> I think in general when you say "temporary ccache" you want either a)
>> something that NFS/AFS/SMB won't use, or b) a new session so they can
>> find your credentials.
>
> Right now, (a) is the most common case, but indeed I think (b) is becoming
> more common.  Note that k5start and krenew already have code to create a
> new AFS session and tie it to the newly created credentials.

For (a) you need nothing special: just create a temp ccache and use it
via the APIs only.  (b) requires help from the OS.

Nico
--

More information about the krbdev mailing list