[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>
Subject: Re: MEMORY credential cache interop between Heimdal and MIT?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Thu, 16 Aug 2007 18:16:58 +0200
Cc: Ken Raeburn <raeburn@MIT.EDU>, jaltman@secure-endpoints.com, "Henry B. Hotz" <hotz@jpl.nasa.gov>, Alf Wachsmann <alfw@slac.stanford.edu>
In-Reply-To: <20070815233444.a1d54835.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0708151117370.17167@iris02.slac.stanford.edu> <540F131A-18D4-4343-AE0F-3B5D760DA215@jpl.nasa.gov> <20070815161906.8fcc2ddf.miallen@ioplex.com> <46C36271.7050402@secure-endpoints.com> <20070815183305.2580e548.miallen@ioplex.com> <79896EE9-9AE9-41C5-8F66-B144D0E0B1F8@mit.edu> <20070815233444.a1d54835.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

> The problem of a secure credential store can be separated into a few
> independent concepts.
>
>  1. How storage is acquired is independent from the format of it's  
> content
>     [1].
>  2. How storage is acquired is independent from the access control  
> logic
>     used to protect it.
>  3. The format of storage content is independent from the access  
> control
>     logic used to protect it.
>
> That divides the problem into three parts which is considerably  
> easier.
>
> Storage implementations might be based on one of the following:
>
>  o mmap(MAP_ANON)
>  o Linux in-kernel keychain support
>  o CCAPI on OSX or Windows
>  o Windows LSA Routines
>  o Disk file

Also add Heimdal's KCM and samba's winbindd (that today uses a FILE:
but if there was a IPC mechanism, it could store it internally).


> Note that these may not guarantee a complete implementation. Using
> mmap will not allow spawned processes (as opposed to forked) to access
> credentials that the access control logic would otherwise grant access
> to. Using a disk file for Kerberos credentials would effectively be a
> stub implementation that just called existing ccache routines. But the
> point is that the storage implementation has been parameterized.
>
> Access control implementations might be based on one of the following:
>
>  o Process ID based logic
>  o Windows ACL
>  o UNIX file access control based in uid
>  o Environment variable "secret" a la ssh-agent

Its good to be able to control access control based on the process-tree,
and only enviroment variables supports that. But I wouldn't call  
using env
variables to provide security a very secure solution.

> Again, you might not get a bullet proof implementation. An  
> implementation
> might use an environment variable set when a login shell was created
> to pass a "secret" to spawned processes. Anyone with knowledge of the
> secret is granted access to the credential store.
>
> Formats of object in storage is specific to the applications using it.
> For Kerberos it seems a credential format exists. The ccache file  
> format
> may not be officially standardized but it is understood by both  
> Heimdal
> and MIT.

FILE cc needs to exteneded to support more features, so while it might
be a good idea to use them in the short term, long term is would lock
us in to old format.

Love

Follow-Ups:
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>

References:
- MEMORY credential cache interop between Heimdal and MIT?
  - From: Alf Wachsmann <alfw@slac.stanford.edu>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: "No database support for /var/heimdal/heimdal" ?
Next by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread