[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PIPE ccache implementation for Heimdal

Ken Hornstein was nice enough to supply me with his PIPE ccache code. It
was simple enough that I was able to port it to Heimdal without too much
trouble. For your entertainment, please find the attached pcache.c file
for Heimdal.

Installation and build instructions are in the comments. Also attached is
a kshell.c (also supplied by Ken) that will create a PIPE ccache instance
and execvp a new shell (2 lines were modified to build stand-alone on
Linux without MIT).

For the un-initiated the purpose of this code is to allow multiple
processes to share a credential cache without using disk files. Disk files
are limited to file based access control which may not be consistent
with correct credential access controls. By creating a pipe (actually
it's a socket), the descriptor is dup2'd into the end of the file table
which is inherited by child processes (usually). So only processes that
inherit this descriptor can access the credential cache. This is a very
desirable model (although not the only one for sure).

Unfortunately I've only tested kinit, klist and kdestroy because I don't
have access to the necessary kerberized services like rcp and such. I
was just curious as to how this worked in general and I won't be using
it in the near future (it still doesn't solve my web server scenario
since a mischievous user can easily find the said descriptor and access
the ccache). Anyway I thought I'd post it in case someone else wanted
to play with it. It could be made into a nice solution for desktops
(e.g. execvp-ing your window manager through kshell). Ken is using his
MIT version in production right now.

Note that currently I do not believe this code is suitable for inclusion
in Heimdal. It calls fork(2), the format of what is transmitted over
the socket is a iovec'd chunks of der and MIT and Heimdal coding styles
are mixed together. I think the fork(2) and socketpair calls could be
factored out so that applications can call initialization and processing
routines from their own event loop (which in practice is the desired MO
ultimately). As for the socket protocol there should be some first-class
ASN.1 to provide a well defined protocol that has a version number,
multiplex-id, support for different credential types, etc.

Incedentally from looking at this code I think the highly desired ccache
plugin architecture would be problematic. Heimdal uses ASN.1 types which
is nice to workwith whereas MIT does not and that makes normalizing data
structures problematic.


Michael B Allen
PHP Active Directory SPNEGO SSO