[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 26 Jan 2004 16:28:21 -0500


On Monday, January 26, 2004 11:23:34 -0800 "Henry B. Hotz" 
<hotz@jpl.nasa.gov> wrote:

> Isn't the reason this keeps coming up that AFS client doesn't (can't?)
> behave like a normal Kerberos application and just get it's own service
> ticket when it needs one (based on an existing tgt)?  The real reason
> this doesn't happen is that tickets are stored in a file in /tmp, but
> it's a different set of file system code inside the kernel that would
> need to access it to request the service ticket.

No; it's not that simple.  Making the cache manager access ticket files 
would require first gaining a Kerberos dependency that we don't already 
have, and then importing lots of code into the kernel, much of which 
depends on network and filesystem interfaces that simply don't exist in 
kernel mode.

Worse, it would not solve the problem.  The trouble here is not that AFS 
tokens are stored in a kernel data structure instead of a file.  It's that 
they are indexed by a value which must be set on login, inherited from each 
process by its children, and must not be changeable by the user (to prevent 
token stealing).  OpenSSH loses not because you need special code to set 
tokens, and not even because you need special code to generate a new PAG -- 
those things can be done by a PAM module.  OpenSSH loses because the PAM 
session module gets called outside the inheritance chain of the user's 
shell, which means it can't set a PAG or anything else that is inherited 
across a fork (e.g. groups, environment variables, resource limits, etc etc 
etc).


> I note that on MacOS X tickets are stored in a MACH "security context"
> which acts a lot like a PAG.  Furthermore it's accessible inside the
> kernel.  Doesn't Windows have some similar in-memory storage mechanism?

Windows' own credentials are managed by a trusted component (the LSA), 
which keeps a credential cache associated with each login session.  This 
cache is read-only -- you can ask the LSA to obtain new tickets on your 
behalf, but you can't give it tickets to remember for you, and AFAIK you 
can't have more than one cache per login session.

Both Windows and MacOS X have mechanisms for managing a security context 
which is inherited between processes, cannot be "stolen", and is 
independent of the mechanisms used for terminal control and session 
management.  Other UNIX platforms lack such a mechanism; this is the 
purpose served by the PAG mechanism introduced by AFS.  What is key is the 
existence of such a mechanism, not whether credentials are stored in a file 
or a kernel data structure or some trusted process.


> Has anyone thought about how congruent PAGs and terminal sessions are?

They're not.  They have similar properties, but they are _not_ congruent. 
For example, if you run an X11 session with many xterms, each terminal 
(xterm) is a separate session, but shares the same PAG.  You want this, so 
when you type 'klog' in one window, the resulting tokens are available in 
all windows.  OTOH, if you run an AFS-aware su, the resulting subprocess 
will have a new PAG (you don't want it to share tokens with other windows), 
but it must be in the same session, so it will get a SIGHUP if the terminal 
is closed.

One serious mistake is trying to overload the same inherited classification 
mechanism to perform more than one unrelated purpose.  This is why SVR4 
separates the concept of "process group" and "session" -- process groups 
and the concept of the controlling terminal alone were not sufficient for 
the task.


> I
> think X11 defined the latter, and Kerberos has tried to tie in to them
> rather than import the PAG concept.

AFAIK, the process group concept was introduced in BSD UNIX prior to 
4.3BSD, and the session concept was introduced in SVR4.  Neither was 
introduced by X11, which has no concept of terminals and thus no need to 
manage them, or by xterm, which used the existing pseudo-tty mechanism.

Kerberos in most cases stores credential caches in files; the location of 
the ccache file is stored in the environment, which is another set of 
properties which is inherited between processes (but one which the kernel 
knows precious little about, and whose contents are completely alterable by 
the user and thus cannot be trusted).  On certain platforms, Kerberos has 
indeed made use of PAG-like mechanisms provided by the operating system.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA