[20120] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Jun 3 18:21:17 2020
MIME-Version: 1.0
In-Reply-To: <20200603212631.GC7856@localhost>
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 4 Jun 2020 00:20:53 +0200
Message-ID: <CAC-fF8Qxt-ZmXiu6uWGZWvF7YcbsCh=gJ5pTXEPx_gw_+OTxrQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Jun 3, 2020 at 11:26 PM Nico Williams <nico@cryptonector.com> wrote:
>
> On Wed, Jun 03, 2020 at 02:34:13PM -0500, Nico Williams wrote:
> > On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> > > On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico@cryptonector.com> wrote:
> > > > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > > > This sounds a lot of application logic, and we also don't want to
> > > > > implicitly delegate a ticket at this point.
> > > >
> > > > On the contrary, this makes the app simpler because configuration now is
> > > > something of a hole: the app doesn't need to know anything about it, it
> > > > just passes through settings from a config file.
> > > >
> > > > We do this in our sshd already, so it won't need _any_ changes in order
> > > > to use this new configuration parameter.
> > >
> > > Not sure I follow, so your sshd won't need any changes, how does that
> > > make it simple for others? And again, we don't want to implicitly
> > > delegate a ticket at this point.
> >
> > I'm going to publish our patches (got permission today), and hopefully
> > we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
> > contribute to OpenSSH.
>
> https://github.com/gss-openssh/openssh-portable/tree/V_8_0_P1-with-gss-keyex-and-HPN
>
> I'll be rebasing these, squashing some dropping all the "Release ..."
> commits, maybe splitting Debian, HPN, and GSS KEYEX commits into
> separate branches, with master having all the patches.
>
> > Regardless, if you follow this pattern in other apps, you'll get the
> > same benefit of making the use of new configuration parameters not
> > require further app changes -- IMO minimizing future needed code changes
> > is a very powerful feature.
>
> The code in question is here:
>
> - cred_store key/value setup:
>
> https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L161
>
> Yes, it's more lines of code than your alternative, but this has to
> be written only once -- new config parameters can just be added to
> sshd_config (see below).
>
> - gss_store_cred_into2() call:
>
> https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L178
>
> - relevant sshd_config parsing parts:
>
> https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L283
> https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L1611
Thanks, I think I get it better now.
> Now I'm thinking it'd be nice to have separate sshd_config params for
> acceptor acquisition from cred_store and storing of
> deleg_cred_handles...
So if we go with gss_acquire_cred_from(), we can add a new store
option "delegation-policy: client-tgt,client-ticket" which will
override the corresponding krb5.conf option, which will default to
"client-tgt,proxy-creds". Then one could add GssCredStoreKeyValue
delegation-policy ...
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
