[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions
emoy@apple.com
emoy@apple.com
Sat, 18 Mar 2006 01:34:07 -0800
--Apple-Mail-1--988993086
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
On Mar 17, 2006, at 7:33 PM, Jeffrey Altman wrote:
> I am cc'ing the openafs-devel@openafs.org mailing list because this is
> really an OpenAFS discussion. krbdev@mit.edu is meant to be a mailing
> list focused on development of the MIT Kerberos reference
> implementation.
>
> The fundamental issue being discussed here is whether the Kerberos.App
> display of the Kerberos Credential Cache contents can be used as an
> indication by end users that the AFS kernel module contains tokens for
> that user. Hank is claiming that presence of an "afs/cellname@REALM"
> service ticket in the credential cache is an indicator that there are
> AFS tokens installed in the AFS kernel module.
>
> I believe that end users should be discouraged from checking the
> Kerberos credential cache to see if they have AFS tokens because doing
> so is fundamentally flawed. There are many reasons why tokens
> might be
> removed from the AFS kernel after their initial installation let alone
> reasons why tokens might not be able to be stored in the first place.
> Therefore, using the Kerberos credential cache as a replacement for
> the
> "tokens" command or a GUI token display will only make the lives of
> end
> users and those that support them more difficult.
>
> If there is a concern that the presence of the AFS service ticket will
> be misinterpreted as meaning that tokens are present then perhaps the
> thing to do is modify aklog and anything that derives from its code
> base
> to not use the default credential cache and instead use a local memory
> cache. We could make this the default behavior and allow the default
> credential cache be used when "-d" is specified on the command line to
> allow the presence of the service tickets to be used for debugging
> purposes.
One other place that the credential cache and the AFS token get out
of sync is when trying to renew the TGT. Renewal of the TGT and AFS
token is a whole subject on its own, but suffice it to say that
running "kinit -R" will renew the TGT, but remove the AFS service
ticket, while the AFS token remains unchanged.
> While not part of the same topic, Derrick Brashear spent time this
> week
> attempting to prepare a KFM KLL plug-in for aklog that would work on
> Tiger and discovered that under Tiger we will not be able to provide
> such functionality. We will work with Apple to try to make this
> happen
> in a future release. For those who are unaware, the KFM KLL plug-ins
> have been used in previous releases of MacOS X to allow the Kerberos
> initial ticket getting functionality to be extended such that
> whenever a
> new Kerberos 5 Initial Ticket is obtained a new AFS token would be
> acquired at the same time. Without this functionality it is not
> possible to provide a single sign-on experience for AFS on Tiger.
(Remember, I'm just a developer who happens to work at Apple; I don't
speak for Apple.)
It turns out I was working this week on something similar, a PAM
module for aklog. This is still highly experimental, but I have
modified aklog to be more reentrant and embeddible, by converting all
the global variables into fields of a structure. I have add an
additional routine that allocates such a structure, which is then
passed to the aklog() routine. So now, the main() routine of the
aklog program calls alloc_aklog_globals() to get a block of memory,
and passes that to the aklog() routine with the arguments.
The PAM modules does the same thing. There are some differences that
are taken care of with a macro definition, like the fact that argv[0]
is the name of the aklog program, but is the first real argument from
the PAM modules. Also, the aklog program exits on error; the PAM
modules does a longjmp back to the aklog() routine to do an error
return (because there is no exit, there might be some memory leaks or
other cleanup that will need to be done).
Creating a loadable PAM module did present some problem. The LWP
code uses assembly language (process.s for ppc and process.i386.s for
x86), but that code references a global variable in way that would
require a writable text segment. So I added the usual assembly goop
to move the relocation info to a data segment. (I had tried to
replace LWP with the pthread code, but was running into a bunch of
undefined symbol problems, so I fell back to LWP. I did notice four
places that allocate pthread mutexes but don't initialize with
PTHREAD_MUTEX_INITIALIZER as per POSIX, and would have made a
difference on Mac OS X, since when uninitialized, it would reside in
common segment, which is not allowed for a bundle. Initializing it
moves it into a data segment.)
So I finally created the PAM module, which only does session open and
close. The open calls aklog to create the token. The close does the
equivalent of unlog, but I then commented that out, since I can
imagine being logging into the GUI, when an ssh session comes in,
renews the AFS token and then removes it on logout, leaving the GUI
without a token. Some mechanism for the last-one-out removing the
token is needed.
So fine, I have a PAM module, but so what? Well, I also wrote a
loginwindow "LoginHook", that is called loginwindow_pam_helper. It
gets run when loginwindow finishes authenticating (presuming /etc/
authorization is set up to do Kerberos authentication). It then does
the usual PAM stuff to open a session and I set up the PAM config
file to call my pam_aklog module. In loginwindow_pam_helper, I use a
kqueue to monitor when loginwindow terminates (usually when the user
logs out, or if loginwindow dies) and then close the session.
Well, this actually all works! I log in, and my AFS tokens are
there. I can even set up a .xlog file and get tokens for multiple
cells.
Now I'm not saying this is the best approach. My thinking was that a
PAM module would be useful for other Unix platforms as well, but
doesn't really fit in so nicely in Mac OS X. The KFM might be a
little cleaner, though Mac OS X specific. But it might be possible
to get loginwindow to do PAM directly, so my loginwindow_pam_helper
wouldn't be needed anymore, and then the PAM module might fit in
better (of course, I'm not on the loginwindow team, so I can't say
they will make this change).
Mac OS X also has it's own way of doing things, like the
Authorization Services framework. Now I'm a Unix guy, so the
Authorization Services framework is new to me. But it might also be
feasible to put in aklog as a plug-in. Then loginwindow could get to
aklog through Authorization Services, and since there is already a
pam_securityserver.so module that calls into the Authorization
Services framework, things like ssh might also be able to get to
aklog. Again this is Mac OS specific, but could be the cleanest way
for both Mac OS X applications and command-line programs to get aklog
access. And since aklog is embeddable, we could build the aklog
program, the aklog PAM module, the aklog Authorization plug-in and
possibly even the KFM KLL plug-in, all using the same base code.
Anyways, Derrick, let me know if I can be of help with the KFM KLL
plug-in (which is something else I don't know much about).
------------------------------------------------------------------------
--
Edward Moy
Apple
--Apple-Mail-1--988993086
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV><DIV>On Mar 17, 2006, at =
7:33 PM, Jeffrey Altman wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">I am cc'ing the <A =
href=3D"mailto:openafs-devel@openafs.org">openafs-devel@openafs.org</A> =
mailing list because this is</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">really an =
OpenAFS discussion.<SPAN class=3D"Apple-converted-space">=A0 </SPAN><A =
href=3D"mailto:krbdev@mit.edu">krbdev@mit.edu</A> is meant to be a =
mailing</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">list focused on development of =
the MIT Kerberos reference implementation.</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The =
fundamental issue being discussed here is whether the =
Kerberos.App</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">display of the Kerberos =
Credential Cache contents can be used as an</DIV><DIV style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">indication by end users that the AFS kernel module contains tokens =
for</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">that user.<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>Hank is claiming that =
presence of an "afs/cellname@REALM"</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">service =
ticket in the credential cache is an indicator that there are</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">AFS tokens installed in the AFS kernel =
module.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">I believe that end users should be discouraged from =
checking the</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Kerberos credential cache to see =
if they have AFS tokens because doing</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">so is =
fundamentally flawed.<SPAN class=3D"Apple-converted-space">=A0 =
</SPAN>There are many reasons why tokens might be</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">removed from the AFS kernel after their initial =
installation let alone</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">reasons why tokens might =
not be able to be stored in the first place.</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Therefore, using the Kerberos credential cache as a =
replacement for the</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">"tokens" command or a GUI =
token display will only make the lives of end</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">users and those that support them more =
difficult.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">If there is a concern that the presence of the AFS =
service ticket will</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">be misinterpreted as =
meaning that tokens are present then perhaps the</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">thing to do is modify aklog and anything that =
derives from its code base</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">to not use =
the default credential cache and instead use a local memory</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">cache.<SPAN class=3D"Apple-converted-space">=A0 =
</SPAN>We could make this the default behavior and allow the =
default</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">credential cache be used when =
"-d" is specified on the command line to</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">allow =
the presence of the service tickets to be used for debugging =
purposes.</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>One other place that the =
credential cache and the AFS token get out of sync is when trying to =
renew the TGT.=A0 Renewal of the TGT and AFS token is a whole subject on =
its own, but suffice it to say that running "kinit -R" will renew the =
TGT, but remove the AFS service ticket, while the AFS token remains =
unchanged.</DIV><BR><BLOCKQUOTE type=3D"cite"><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">While =
not part of the same topic, Derrick Brashear spent time this =
week</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">attempting to prepare a KFM KLL =
plug-in for aklog that would work on</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Tiger and =
discovered that under Tiger we will not be able to provide</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">such functionality. <SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>We will work with Apple to =
try to make this happen</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">in a future =
release.<SPAN class=3D"Apple-converted-space">=A0 </SPAN>For those who =
are unaware, the KFM KLL plug-ins</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">have been =
used in previous releases of MacOS X to allow the Kerberos</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">initial ticket getting functionality to be extended =
such that whenever a</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">new Kerberos 5 Initial =
Ticket is obtained a new AFS token would be</DIV><DIV style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">acquired at the same time.<SPAN class=3D"Apple-converted-space">=A0 =
</SPAN>Without this functionality it is not</DIV><DIV style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">possible to provide a single sign-on experience for AFS on =
Tiger.</DIV></BLOCKQUOTE></DIV><BR =
class=3D"khtml-block-placeholder"><DIV>(Remember, I'm just a developer =
who happens to work at Apple; I don't speak for Apple.)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>It turns out I was working =
this week on something similar, a PAM module for aklog.=A0 This is still =
highly experimental, but I have modified aklog to be more reentrant and =
embeddible, by converting all the global variables into fields of a =
structure.=A0 I have add an additional routine that allocates such a =
structure, which is then passed to the aklog() routine.=A0 So now, the =
main() routine of the aklog program calls alloc_aklog_globals() to get a =
block of memory, and passes that to the aklog() routine with the =
arguments.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>The =
PAM modules does the same thing.=A0 There are some differences that are =
taken care of with a macro definition, like the fact that argv[0] is the =
name of the aklog program, but is the first real argument from the PAM =
modules.=A0 Also, the aklog program exits on error; the PAM modules does =
a longjmp back to the aklog() routine to do an error return (because =
there is no exit, there might be some memory leaks or other cleanup that =
will need to be done).</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Creating a loadable PAM =
module did present some problem.=A0 The LWP code uses assembly language =
(process.s for ppc and process.i386.s for x86), but that code references =
a global variable in way that would require a writable text segment.=A0 =
So I added the usual assembly goop to move the relocation info to a data =
segment.=A0 (I had tried to replace LWP with the pthread code, but was =
running into a bunch of undefined symbol problems, so I fell back to =
LWP.=A0 I did notice four places that allocate pthread mutexes but don't =
initialize with=A0PTHREAD_MUTEX_INITIALIZER as per POSIX, and would have =
made a difference on Mac OS X, since when uninitialized, it would reside =
in common segment, which is not allowed for a bundle.=A0 Initializing it =
moves it into a data segment.)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>So I finally created the =
PAM module, which only does session open and close.=A0 The open calls =
aklog to create the token.=A0 The close does the equivalent of unlog, =
but I then commented that out, since I can imagine being logging into =
the GUI, when an ssh session comes in, renews the AFS token and then =
removes it on logout, leaving the GUI without a token.=A0 Some mechanism =
for the last-one-out removing the token is needed.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>So fine, I have a PAM =
module, but so what?=A0 Well, I also wrote a loginwindow "LoginHook", =
that is called loginwindow_pam_helper.=A0 It gets run when loginwindow =
finishes authenticating (presuming /etc/authorization is set up to do =
Kerberos authentication).=A0 It then does the usual PAM stuff to open a =
session and I set up the PAM config file to call my pam_aklog module.=A0 =
In loginwindow_pam_helper, I use a kqueue to monitor when loginwindow =
terminates (usually when the user logs out, or if loginwindow dies) and =
then close the session.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Well, this actually all =
works!=A0 I log in, and my AFS tokens are there.=A0 I can even set up a =
.xlog file and get tokens for multiple cells.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Now I'm not saying this is =
the best approach.=A0 My thinking was that a PAM module would be useful =
for other Unix platforms as well, but doesn't really fit in so nicely in =
Mac OS X.=A0 The KFM might be a little cleaner, though Mac OS X =
specific.=A0 But it might be possible to get loginwindow to do PAM =
directly, so my=A0loginwindow_pam_helper wouldn't be needed anymore, and =
then the PAM module might fit in better (of course, I'm not on the =
loginwindow team, so I can't say they will make this =
change).</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>Mac =
OS X also has it's own way of doing things, like the Authorization =
Services framework.=A0 Now=A0I'm a Unix guy, so the Authorization =
Services framework is new to me. =A0But it might also be feasible to put =
in aklog as a plug-in.=A0 Then loginwindow could get to aklog through =
Authorization Services, and since there is already =
a=A0pam_securityserver.so module that calls into the Authorization =
Services framework, things like ssh might also be able to get to aklog.=A0=
Again this is Mac OS specific, but could be the cleanest way for both =
Mac OS X applications and command-line programs to get aklog access.=A0 =
And since aklog is embeddable, we could build the aklog program, the =
aklog PAM module, the aklog Authorization plug-in and possibly even the =
KFM KLL plug-in, all using the same base code.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Anyways, Derrick, let me =
know if I can be of help with the=A0KFM KLL plug-in (which is something =
else I don't know much about).</DIV><BR><DIV> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Monaco" size=3D"3" style=3D"font: =
12.0px =
Monaco">------------------------------------------------------------------=
--------</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT =
face=3D"Monaco" size=3D"3" style=3D"font: 12.0px Monaco">Edward =
Moy</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT =
face=3D"Monaco" size=3D"3" style=3D"font: 12.0px =
Monaco">Apple</FONT></P> </DIV><BR></BODY></HTML>=
--Apple-Mail-1--988993086--