[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Henry B. Hotz hotz@jpl.nasa.gov
Thu, 30 Aug 2007 00:08:55 -0700


On Aug 29, 2007, at 6:50 PM, Jeffrey Altman wrote:

> Henry B. Hotz wrote:
>> Also while setgroups() may not be sufficiently protected to
>> really satisfy the model, it's at least harder than setenv.
>
> I'm now confused.  What are you trying to protect against?

I think I'll refuse to answer that (directly anyway) on the grounds  
that I shouldn't have gone into as much detail as I already have.   
The detail has already distracted some people from my main point.

The point of bringing up PAGs is that it's a pretty good model for  
who *should* be able to access a credential.  "Security" is the flip  
side of that:  everyone else *shouldn't* be able to access the  
credential.

> Kerberos uses environment variables as one method of pointing
> an application at a specific credential cache.  It doesn't
> have to be a FILE credential cache.  It could be an API cache
> as on Windows or MacOS X, or an LSA cache on Windows, or a
> KEYRING cache on Linux, or one of any of the other credential
> cache types.  Implementing a PAG credential cache is not
> necessarily going to eliminate the use of environment variables as a
> method of pointing the application at the PAG credential cache.

The point is not the ccache type per-se.  The point is the semantics  
of the model and the difficulty of breaking out of/in to the "PAG".

The FILE: ccache was just an example.  I grant you that other, less  
standard, types may do a much better job of implementing the model.

> Jeffrey Altman
>
> P.S. - I find it very interesting that this thread is now
> including OpenAFS when it still is not including MIT's Kerberos
> Developer's in the discussion.

Feel free to add them, especially if you think MIT might actually  
devote some implementation resources.  I'm not excluding anybody.  I  
added OpenAFS because I wanted to talk about PAGs and thought it  
might spur some OpenAFS developer to contribute.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu