[20119] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Nico Williams)
Wed Jun 3 17:26:58 2020
Date: Wed, 3 Jun 2020 16:26:32 -0500
From: Nico Williams <nico@cryptonector.com>
To: Isaac Boukris <iboukris@gmail.com>
Message-ID: <20200603212631.GC7856@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20200603193411.GZ7856@localhost>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Jun 03, 2020 at 02:34:13PM -0500, Nico Williams wrote:
> On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> > On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico@cryptonector.com> wrote:
> > > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > > This sounds a lot of application logic, and we also don't want to
> > > > implicitly delegate a ticket at this point.
> > >
> > > On the contrary, this makes the app simpler because configuration now is
> > > something of a hole: the app doesn't need to know anything about it, it
> > > just passes through settings from a config file.
> > >
> > > We do this in our sshd already, so it won't need _any_ changes in order
> > > to use this new configuration parameter.
> >
> > Not sure I follow, so your sshd won't need any changes, how does that
> > make it simple for others? And again, we don't want to implicitly
> > delegate a ticket at this point.
>
> I'm going to publish our patches (got permission today), and hopefully
> we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
> contribute to OpenSSH.
https://github.com/gss-openssh/openssh-portable/tree/V_8_0_P1-with-gss-keyex-and-HPN
I'll be rebasing these, squashing some dropping all the "Release ..."
commits, maybe splitting Debian, HPN, and GSS KEYEX commits into
separate branches, with master having all the patches.
> Regardless, if you follow this pattern in other apps, you'll get the
> same benefit of making the use of new configuration parameters not
> require further app changes -- IMO minimizing future needed code changes
> is a very powerful feature.
The code in question is here:
- cred_store key/value setup:
https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L161
Yes, it's more lines of code than your alternative, but this has to
be written only once -- new config parameters can just be added to
sshd_config (see below).
- gss_store_cred_into2() call:
https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L178
- relevant sshd_config parsing parts:
https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L283
https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L1611
Now I'm thinking it'd be nice to have separate sshd_config params for
acceptor acquisition from cred_store and storing of
deleg_cred_handles...
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
