[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT

Johan Danielsson wrote:

> Gabor Gombas <gombasg@sztaki.hu> writes:
>>Maybe the proper solution would be to allow different backends (LDAP,
>>RDBMS etc.) for getting the information that is now contained in the
>>.k5login file. That would allow completely avoiding file system access
>>until the authentication/authorization process has finished.
> Well, authorization doesn't really belong in libkrb5 at all, .k5login
> is just an ad-hoc solution to a real-world problem.

I totaly agree. And this real world problem shows up in GSS as well,
as GSS does not do an authorization check thus forcing the application
writter to have to call the krb5_kuserok even when using GSS.  OpenSSH
is a good example.

>>1. Provide a callback that can be used to replace just the reading of
>>   the .k5login file, leaving the content parsing/decision making in
>>   Heimdal, or
>>2. Moving the decision making completely to the callback. This is more
>>   general but applications may need to implement more logic than with
>>   the first approach.
> I think .k5login is a bit too simplistic, so I'd vote for 2.

I would like to propose a third option:

Use a generic authorization check routine, one that can take
a src_name from gss_accept_sec_context, Or the gss_context and
use these to make this decision. The IETF Kitten group has
a number of documents that address this subject, but as far as I
can tell don't address this real world problem.

If the routine was simple enough, in that it only used the
output of the gss_display_name, i.e. the string represnation
of a Kerberos principal, it could be used with or without GSS,
and independent of Kerberos too.

The gssklogd uses such a routine that came from an early version of
Globus. Note that it is passed a string, that could be a principal
or a X.509 name.

I am not saying to use this routing as such, but a simple API that
is independent of Kerberos or at least the different versions of Kerberos.

Function:   globus_gss_assist_userok.c
     Check to see if a particular globusid is authorized to access
     the given local user account.

     globusid, the globus id in string form

     userid, the local account that access is sought for

     0 on sucess (authorization allowed)
     !=0 on failure or authorization denied

globus_gss_assist_userok(char *     globusid,
              char *     userid)

> /Johan


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444