[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

Tomas Olsson tol@stacken.kth.se
15 Jul 2004 12:08:00 +0200 

Kyle Moffett <mrmacman_g4@mac.com> writes:

> I am not completely familiar with all of the metadata that AFS
> needs to maintain, but with the key system it is possible to have
> many different sets of keys accessible.  Perhaps AFS could just
> add an extra connection "key" blob that expires when whatever
> connection used ceases to exist.
>
The current AFS implementations handle the token storage, connections etc
by themselves, the only support needed is the PAG id attached to processes,
with full inheritance like the session keys seem to have. If all direct
user changes to the PAG id can be blocked, all is well. The PAG id has
always just been an integer, which is fine (except for the possibility of
premature reuse).

Of course, if there is a handy infrastructure in place, one could store
other things (like tokens and connection handles) in the blob as well. But
tight access restrictions are very necessary.

> struct key_type {
> 	char *name;
> 	
> 	int (*will_create)(char **desc, void **blob, size_t *blob_len);
> 	void (*did_create)(struct key *key, const char *desc, const
> void *blob, size_t blob_len);
> 	
> 	int (*will_change_desc)(struct key *key, const char *old, char **new);
> 	void (*did_change_desc)(struct key *key, const char *old,
> const char *new);
> 	
> 	int (*will_change_blob)(struct key *key, const char *old,
> size_t old_len, char **new, size_t *new_len);
> 	void (*did_change_blob)(struct key *key, const char *old,
> size_t old_len, const char *new, size_t new_len);
> 	
> 	void (*will_destroy)(struct key *key);
> };
> 
How are these used?

> I don't know exactly what you mean by "forging" a label, but
> as far as the implementation goes, user-space can _ask_
> for whatever description (like kerberos principal name) that
> it wants, with whatever blob it wants.  It's up to the kernel
> module to actually implement data checking on any blobs.
>
Forging a label probably means "I want to use Pete's creds". In the integer
PAG id case, that's fairly easy to do if one has unrestricted write access
to one's keyring. Probably possible in many cases where non-cryptographic
data can be modified.

/Tomas