[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setpag switch for afslog?

Darren Tucker wrote:
> Douglas E. Engert wrote:
> [snip]
> > But it has proved to be very handy. Doing a klog -setpag user modifies the
> > parent shell. (I know pagsh;klog could do something similar.)
> >
> > The one other place this is useful is that no AFS libs need to be linked
> > to a daemon which needs to set a pag. This avoids conflicts and allows
> > daemons to be built that can support AFS if its available. (PAM can also
> > address this if the daemon uses PAM.)
> Please excuse my complete lack of knowledge of all things Kerberos and
> AFS related, I'm looking at this from the daemon's point of view
> (specifically, OpenSSH).

I too am concerned with OpenSSH, as well as Kerberos and AFS. I want to make
sure that these packages can be built and installed independently, so that
OS and Linux vendors who build and distribute one or more of these packages
will build them with all the hooks needed so the end user can easily use 
them together. (For example. will RedHat distribute OpenSSH to use 
the MIT Kerberos with GSSAPI but not OpenAFS? What about using Heimdal 

So some of these issues include:
  (1) Hooks to set a PAG currently requires the PAG to be set from the 
      process that will become the user's shell, or its parent.   

  (2) How to use Kerberos when there are multiple Kerberos vendors. 

  (3) Use of GSSAPI which is meant to be generic but is missing a generic way
      to store a delegated credential. (The current circumvention it to call mech
      implemenation routines which is what ssh_gssapi_krb5_storecreds has to do
      which says you have to build OpenSSH with a specific version of Kerberos
      and the GSSAPI will use only Kerberos.)
  (4) How to use the delegated credentials from above or Kerberos credentials
      obtained from entering user/password get an AFS token.  

  (5) Avoiding library conflicts. For example if OpenSSH uses the MIT 
      Kerberos, and OpenAFS uses Heimdal Kerberos, and OpenSSH needs
      to link of dynamically load all of these, what are the conflicts? 

It the system supports PAM, it could address (1) and (4) 
The PAG could be obtained in PAM, as long as the PAM routine is called
from a process that will become the user's shell, or one of its parents. 
(This is related to the privsep problems. You indicate below that it is fixed)
And do to the way PAGs are implemented, it needs to be done after
the groups are set by a daemon.

To fix (2) and (3) a gss_export_cred function is needed.  This needs to be 
standardized, and implementors of GSSAPI mechanisms need to implement 
it. (The GGF addressed this and a personal draft was submitted
to the IETF.)
(3) and (2) may also need some additional work to get any specific Kerberos
code moved to PAM only.   

(4) can use credentials stored by GSSAPI or obtained by PAM, is a PAM 
routine called after the credentials are stored. 

>  From what I've read, the PAG is encoded as a pair of supplemental gids,
> right?  Is there anything else stored in the kernel per-process related
> to the PAG?

This is the common way to store the PAG number. But if I remember on 
AIX IBM actually allocated a field in the process to store the PAG,
and this could have been used by AFS and DFS. 

> If it's only the GIDs, would it be possible for a daemon to exec some
> kind of helper app, (something like klog -setpag, I guess), which
> returns those GIDs on its stdout for the daemon to add to the user's groups?

There is a setpag() routine in AFS, which eventially comes down to

 syscall(syscall_num, AFSCALL_SETPAG, 0, 0, 0, 0, 0);

But the syscall_num is differnet on each OS, and different across releases too.
If the AFS kernel mods are not running, the syscall will fail, so it needs to be
protected by a signal handler. 

Andrei Maslennikov <andrei@caspur.it> reffered to the krb5_afs_pag_env
I sent him, which does the syscall to get a PAG then fork+execs 
a aklog type routine to get the token. The get_afs_token I posted
to the OpenSSH list did not do the setpag, but relied on the -setpag 
trickery get_afs_token could easily be changed. 

> If this was enough, it would be workable without hackery to mess with a
> process' parent.

> (BTW, I took a look at kpam, and in it setpag() is called the
> pam_setcred() call, and in OpenSSH's case, that *is* called by the
> immediate parent of the user's shell (in session.c).  I don't know about
> other PAM/AFS modules.)

Still need to watch out for the groups if setgroups is called after this. 
Need to copy the first two groups to the child's groups, if they look like 
a PAG. (0x8300,0x8788) i.e. "a", I thing for "afs". You need to look carefully,
if the sshd was started under a PAG, you don't want to use that one!  

Good, that means that PAM might address these issues on systems that have PAM.
If so then one could build OpenSSH without using kafs, and still use
AFS if its available on the machine. Need to look at the use of -DUSE_AFS 
as set by configure.   

> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444