[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

To: heimdal-discuss@sics.se
Subject: Re: MEMORY credential cache interop between Heimdal and MIT?
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Wed, 15 Aug 2007 21:49:52 -0400
In-Reply-To: <20070815161906.8fcc2ddf.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Ken Hornstein <kenh@cmf.nrl.navy.mil>

>This is actually a fundamental problem with authentication mechanisms in
>general. It get's into the issue of how to manage credentials. Currently
>Kerberos uses disk files. That is clumsy and in some cases downright
>insecure. I have personally concluded that the proper solution is for
>the OS to provide a secure storage mechanism where a library can put
>arbitrary data that can by accessed using a key such as a simple number
>or preferably a string (e.g. 'krb5:MEMORY:') that may be accessed ONLY
>by the same pid or by a descendant (i.e. the storage is inherited).
>
>I'm not sure if this can be done entirely in userspace but if it could
>that would be an interesting project. Then you could have MEMORY: ccache
>and keytab interoperability and get around a lot of ugly environment
>variable / file hacks.

I actually implemented exactly this type of credential cache a few
years ago.  Mind you, since it was designed to be portable across
all variants of Unix it introduces it's own set of bizarro ugly
hacks.  It doesn't use the mmap() stuff that Thor mentioned (I was
not aware of that feature of mmap() at the time I wrote my credential
cache).  I think if you used mmap() you'd have to do some locking
which could complicate things, but I don't think it's an unsolvable
problem.

While it's relatively straightforward to develop a credential cache
which is only accessable to decendants of a master process, I was
unable to come up with a reasonable way of restricting access to
the credential cache to certain programs.  I am not convinced this
is a solvable problem; perhaps it is solvable with OS-specific
extensions, but I cannot see how to solve this problem in a portable
way.  The credential cache I developed solved a particular problem
we were having, and we've been using it in production for a number
of years.  But it's not a panacea for the generic problem of keeping
a bad guy away from my credentials.

(I have removed kitten from the cc: line; I do not belive this discussion
is in scope for that WG).

--Ken

References:
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread