[OpenAFS-devel] Seeking Volunteer: Token Acquisition Library
Jeffrey Altman
jaltman@your-file-system.com
Mon, 12 Dec 2011 15:03:17 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6BA9C17127A47D76B179E8B5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
<tt>At the present time, OpenAFS does not have a single
authentication library.<br>
Instead, the auth package contains the old kaserver/kerberos-iv
authentication<br>
routines and all of the kerberos-v and krb524 translation code is
replicated<br>
in every tool that performs token acquisition.<br>
<br>
At the 2011 hackathon in Pittsburgh the need for a consolidated
authentication<br>
library was discussed.=C2=A0 It is needed to reduce code complexity=
and
make it<br>
easier for third party credential acquisition tools to obtain
support for<br>
rxgk.=C2=A0 The below text outlines a design proposal which is in n=
eed
of a<br>
developer to turn it into a reality.<br>
<br>
Thanks to Simon Wilkinson (Your File System, Inc.) for the design.<=
br>
<br>
---<br>
<br>
Overview<br>
<br>
The plan is to create a single library for gaining afs tokens on
Unix and <br>
Windows, which combines together the functionality of the various
existing <br>
aklog and klog commands. The library should be capable of
acquiring kas and <br>
krb5 (both natively, and through a 524 converter) for rxkad, and
of being <br>
extended to support other mechanisms such as rxgk in the future.
It should be <br>
possible to gain tokens using a password, credentials held within
a local <br>
credentials cache, or those held within a krb5 keytab. It should
also be <br>
possible to use the existing aklog 'kimpersonate' functionality to
produce <br>
credentials using a forged service ticket.<br>
<br>
This library will be used to implement a single binary which can
perform <br>
either password driven (klog style) or password free (aklog style)
token <br>
acquisition.=C2=A0 On Windows, this library would later be used to
replace the <br>
functionality in the NetIdMgr OpenAFS credentials provider.<br>
<br>
Library Design<br>
<br>
Whilst in the initial implementation, the library will be purely
used by one <br>
or more command line tools (see below), the intention is that it
will also be <br>
used by the proposed token renewing functionality for afsd <br>
(<a class=3D"moz-txt-link-freetext" href=3D"http://gerrit.openafs.o=
rg/#change,4063">http://gerrit.openafs.org/#change,4063</a>), so it has t=
o be capable
of being <br>
used as a proper library (good constructors, destructors, no
resource leaks, <br>
and stable over a long lived process).<br>
<br>
The library is structured to be as extensible as possible. There
is a token <br>
acquisition context which contains all of the necessary
configuration <br>
information to be able to acquire tokens, and a single function
which takes <br>
that context and acquires the token which is the best fit for the
incoming <br>
request. This function is reusable over a particular
configuration, so it can <br>
be used by a long running process to easily renew credentials.<br>
<br>
Here's a rough draft of how such an interface could be structured
...<br>
<br>
/* Create a new acqusition context */<br>
auth_gettoken_ctx *<br>
auth_GetToken_BuildContext(void);<br>
<br>
void<br>
auth_GetToken_DestroyContext(auth_gettoken_ctx **ctx);<br>
<br>
typedef enum {<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_PASSWORD,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_KEYTAB,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_CREDENTIALS<br>
} auth_InitialMethod;<br>
=C2=A0=C2=A0 =C2=A0<br>
/* Add an initial credential acquistion method */<br>
int<br>
auth_GetToken_EnableInitialMethod(auth_gettoken_ctx *ctx,<br>
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 auth_InitialMethod method);<br>
<br>
typedef enum {<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_RXKAD_K5,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_RXKAD_K524,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_RXKAD_KAS,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_METHOD_RXGK<br>
} auth_GetTokenMethod;<br>
<br>
/* Add a mechanism for acquiring a token for a particular type */<b=
r>
int<br>
auth_GetToken_EnableTokenMethod(auth_gettoken_ctx *ctx,<br>
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=
=C2=A0auth_GetTokenMethod method);<br>
<br>
typedef enum {<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_PRINCIPAL,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_KEYTAB,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_PASSWORD,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_LIFETIME<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_REALM,<br>
=C2=A0=C2=A0=C2=A0 AUTH_GETTOKEN_CONFIG_SETPAG,<br>
=C2=A0=C2=A0=C2=A0 ...<br>
} auth_GetTokenConfigKey;<br>
=C2=A0=C2=A0 =C2=A0<br>
/* Add configuration for a particular key */<br>
int<br>
auth_GetToken_AddConfiguration(auth_gettoken_ctx *ctx,<br>
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 auth_GetTokenConfigKey key,<br>
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 char *value);<br>
<br>
int<br>
auth_GetTokens(auth_gettoken_ctx *context,<br>
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 struct afsc=
onf_cell *cell,<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 int force,<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 int setpag);<br>
<br>
Command Line Tool Design<br>
<br>
The intention is to provide a single command line tool which
provides the <br>
functionality of all of the various log tools. This can be done by
simply <br>
determining the name that the command is invoked by (aklog or
klog), and <br>
setting up the appropriate command parser. The existing additional
<br>
functionality of all commands should be preserved (for example,
aklog's path <br>
walk function)<br>
<br>
Implementation<br>
<br>
The best fit within the OpenAFS tree for the new interfaces is the
'auth' <br>
library, ideally as one or more new pieces of source code. It is
envisaged <br>
that this new code will replace the current token acquisition
implementations <br>
in src/aklog/aklog.c, src/aklog/klog.c, src/kauth/klog.c and <br>
src/kauth/manylog.c with a single source file in src/auth.<br>
<br>
The src/aklog/aklog.c file is the best starting point - it has by
far the <br>
cleanest architecture, and it should serve as a solid base for
this work.<br>
<br>
krb524 functionality has been removed from both MIT and Heimdal
Kerberos <br>
implementations over the last couple of years.=C2=A0 krb524 will ne=
ed
to be <br>
implemented within the openafs code base.=C2=A0 The OpenVision
libkrb524.a can be <br>
used as a starting point for that work.<br>
<br>
=C2=A0
<a class=3D"moz-txt-link-freetext" href=3D"https://github.com/krb5/krb5-a=
nonsvn/tree/tags%2Fkrb5-1-3-6-final/src/krb524">https://github.com/krb5/k=
rb5-anonsvn/tree/tags%2Fkrb5-1-3-6-final/src/krb524</a><br>
<br>
</tt>
</body>
</html>
--------------enig6BA9C17127A47D76B179E8B5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJO5l4HAAoJENxm1CNJffh4YPIH/2WyfMfEt/+HUV72buihcxit
+ZfnsIcOdbmUbuFP3TZOCW+cnq70WqEezN0LMTC0UIIBDS+ywxzBKemZ3m1Fr9Nk
X58omJxzMWpOYY8wVi7yqzjXDPS0JWTNrVaTWz1zXNeAjjERmdAXe2Txt/BnTFEY
dVqdEAEYgJu8cdqRZ9aZ2PMlCOp+lfsrm5mMEzA2D+1i2/LxG1x/FHTtrr3oXxc7
6LxN8OGRtELxd7liVJSSoTg/v+3UADfQYO4O+xHJlebXmXc50qI1FIalNoumyPMS
xpG2MIYRHHTcplgNrVGqXspzsFLid7RWtMc+dydQCa36Az1s9OySTHj36yQdso8=
=m4Un
-----END PGP SIGNATURE-----
--------------enig6BA9C17127A47D76B179E8B5--