Alternative proxy-creds API for constrained-delegation

Nico Williams nico at cryptonector.com
Wed Jun 3 17:26:32 EDT 2020 

On Wed, Jun 03, 2020 at 02:34:13PM -0500, Nico Williams wrote:
> On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> > On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico at cryptonector.com> wrote:
> > > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > > This sounds a lot of application logic, and we also don't want to
> > > > implicitly delegate a ticket at this point.
> > >
> > > On the contrary, this makes the app simpler because configuration now is
> > > something of a hole: the app doesn't need to know anything about it, it
> > > just passes through settings from a config file.
> > >
> > > We do this in our sshd already, so it won't need _any_ changes in order
> > > to use this new configuration parameter.
> > 
> > Not sure I follow, so your sshd won't need any changes, how does that
> > make it simple for others? And again, we don't want to implicitly
> > delegate a ticket at this point.
> 
> I'm going to publish our patches (got permission today), and hopefully
> we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
> contribute to OpenSSH.

https://github.com/gss-openssh/openssh-portable/tree/V_8_0_P1-with-gss-keyex-and-HPN

I'll be rebasing these, squashing some dropping all the "Release ..."
commits, maybe splitting Debian, HPN, and GSS KEYEX commits into
separate branches, with master having all the patches.

> Regardless, if you follow this pattern in other apps, you'll get the
> same benefit of making the use of new configuration parameters not
> require further app changes -- IMO minimizing future needed code changes
> is a very powerful feature.

The code in question is here:

 - cred_store key/value setup:

   https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L161

   Yes, it's more lines of code than your alternative, but this has to
   be written only once -- new config parameters can just be added to
   sshd_config (see below).

 - gss_store_cred_into2() call:

   https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L178

 - relevant sshd_config parsing parts:

   https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L283
   https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L1611

Now I'm thinking it'd be nice to have separate sshd_config params for
acceptor acquisition from cred_store and storing of
deleg_cred_handles...

Nico
--

More information about the krbdev mailing list