IETF Logo Mail Archive

Re: [kitten] Permissible (and imp..) side-effects of GSS_Acquire_cred()

Jeffrey Altman <jaltman@secure-endpoints.com> Sat, 28 March 2015 18:41 UTC

Return-Path: <prvs=1529e9c664=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0C31A8AD6 for <kitten@ietfa.amsl.com>; Sat, 28 Mar 2015 11:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zonWKZvxehzE for <kitten@ietfa.amsl.com>; Sat, 28 Mar 2015 11:41:14 -0700 (PDT)
Received: from sequoia-grove.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [208.125.0.235]) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1555C1A8737 for <kitten@ietf.org>; Sat, 28 Mar 2015 11:41:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1427568052; x=1428172852; q=dns/txt; h=VBR-Info:Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To: OpenPGP:Content-Type; bh=JmMwg+oy2V+N2u7YfG1+EqATzcun1VfuI4mjmGz xLMU=; b=py38NjKm7etxttrmJKuZOPw6TzOwx6BSNAIKNbes/+mgZEZ44Y2hjnc KHIoK0NC8+RX7IDQ0q4dWGZXGQlRPe2SeMrrPgbdXeyCO55/+95aUWgNhOWJYSJk uWDFSv/yB1RxKIqhJDdPVvNMyLXbV0ZeD0z72uoF0vILg56f3094=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.secure-endpoints.com, Sat, 28 Mar 2015 14:40:52 -0400
X-Spam-Processed: sequoia-grove.secure-endpoints.com, Sat, 28 Mar 2015 14:40:51 -0400
Received: from [x.x.x.x] by secure-endpoints.com (Cipher TLSv1:AES-SHA:128) (MDaemon PRO v15.0.0) with ESMTPSA id md50000847162.msg for <kitten@ietf.org>; Sat, 28 Mar 2015 14:40:50 -0400
VBR-Info: md=secure-endpoints.com; mc=all; mv=vbr.emailcertification.org;
X-MDArrival-Date: Sat, 28 Mar 2015 14:40:50 -0400
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Return-Path: prvs=1529e9c664=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
Message-ID: <5516F5AC.2040904@secure-endpoints.com>
Date: Sat, 28 Mar 2015 14:40:44 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Simo Sorce <simo@redhat.com>, Nico Williams <nico@cryptonector.com>
References: <20150311001817.GC7286@localhost> <1426771934.2981.127.camel@willson.usersys.redhat.com> <20150319151718.GD8099@localhost> <1426778409.2981.129.camel@willson.usersys.redhat.com> <20150319162847.GG8099@localhost> <1426784686.2981.130.camel@willson.usersys.redhat.com> <20150319173305.GH8099@localhost> <1426787041.2981.135.camel@willson.usersys.redhat.com>
In-Reply-To: <1426787041.2981.135.camel@willson.usersys.redhat.com>
OpenPGP: id=FA444AF197F449B24CF3E699F77A735592B69A04; url=http://pgp.mit.edu
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030400010707020406070100"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/gdb-vWXuaqhQXlauhQ4L8tkQ8uA>
Cc: kitten@ietf.org
Subject: Re: [kitten] Permissible (and imp..) side-effects of GSS_Acquire_cred()
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2015 18:41:15 -0000

On 3/19/2015 1:44 PM, Simo Sorce wrote:
> On Thu, 2015-03-19 at 12:33 -0500, Nico Williams wrote:
>> On Thu, Mar 19, 2015 at 01:04:46PM -0400, Simo Sorce wrote:
>>> Would you consider an explicitly set KRB5CCNAME env variable as an
>>> indication the admin is ok with acquired credentials ending up there ?
>>> Ie a) but using KRB5CCNAME presence as an indication a ccache can be
>>> used ?
>>
>> That helps, though there can still be non-determinism when the ccache
>> does not exist yet.  (But if the admin/user set it, why wouldn't they
>> also kinit -k to remove all doubt?)
> 
> Because, at least with the current implementation of the Keytab
> initiation feature in MIT, if you kinit explicitly then
> gss_init_sec_context will not take over and keep initiating when
> credentials expires etc...
> 
> I understand this may be simply an implementation issue/bug and it can
> be decided differently, but in general keytab initiation is used to
> allow unattended systems work on their own, so the admin will start a
> service with all the evn var set right and let it to it's own thing,
> requiring to script a manual kinit would defeat the purpose.
> 
> So I am trying to see if you think a) is compatible with something
> priming an empty initial ccache provided that both KRB5CCNAME and
> KRB5_CLIENT_KTNAME have been set in the environment (both required).
> 
> Simo.

Simo,

I would be more comfortable with an environment variable or krb5.conf
option that explicitly states to perform X behavior.  The existence of
environment variables that are useful on their own in combination should
not should trigger an unexpected behavior.  Especially when those
environment variables are interpreted different by different Kerberos
distributions.

Just my two cents ...

Jeffrey Altman

v2.23.0 | Report a Bug | By Email