Features/KRB5CacheMove

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Feature Name)
(Detailed Description)
(25 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section.  They are invisible when viewing this page.  To read it, choose the "edit" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.'''}}
 
 
{{admon/important | Set a Page Watch| Make sure you click ''watch'' on your new page so that you are notified of changes to it by others, including the Feature Wrangler}}
 
 
{{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}
 
 
 
 
<!-- All fields on this form are required to be accepted by FESCo.
 
<!-- All fields on this form are required to be accepted by FESCo.
 
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
 
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
Line 11: Line 4:
 
<!-- The actual name of your feature page should look something like: Features/YourFeatureName.  This keeps all features in the same namespace -->
 
<!-- The actual name of your feature page should look something like: Features/YourFeatureName.  This keeps all features in the same namespace -->
  
= Feature Name <!-- The name of your feature --> =
+
= KRB5 Credential Cache Move =
KRB5 Credential Cache Move
+
 
  
 
== Summary ==
 
== Summary ==
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
  
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$USERNAME/krb5cc
+
This feature changes the default location of a user's Kerberos credential cache from living in /tmp/krb5cc_$UID or /tmp/krb5cc_$UID_XXXXXX to being a similarly-named file in the /run/user/$UID directory.
  
 
== Owner ==
 
== Owner ==
 
<!--This should link to your home wiki page so we know who you are-->
 
<!--This should link to your home wiki page so we know who you are-->
 
* Name: [[User:Sgallagh| Stephen Gallagher]]
 
* Name: [[User:Sgallagh| Stephen Gallagher]]
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
 
 
* Email: sgallagh@fedoraproject.org
 
* Email: sgallagh@fedoraproject.org
 +
 +
* Name: [[User:Dwalsh| Dan Walsh]]
 +
* Email: dwalsh@fedoraproject.org
  
 
== Current status ==
 
== Current status ==
 
* Targeted release: Fedora 18
 
* Targeted release: Fedora 18
* Last updated: 2012-02-23
+
* Last updated: 2012-07-17
* Percentage of completion: 10%
+
* Percentage of completion: 100%
  
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 36: Line 30:
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
  
Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.  
+
Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.
 +
 
 +
 
 +
The components which obtain credentials and set up a credential cache for a user at login-time currently set $KRB5CCNAME to point to the user's credential cache, and as they change where they place the credential caches, this value will continue to be set to reflect the correct location.  As a result, processes which run as part of the user's session should be expected to handle this transition automatically and without any specific modifications.
 +
 
 +
 
 +
Processes which do not run as part of the user's session, but which still wish to use the credentials which belong to a given user, will need to be modified.  Typically, their current practice is to search the /tmp directory for a suitably-named file which belongs to the user in question, and for each one that is found, to check if it contains unexpired credentials.  These processes (rpc.gssd and its CIFS counterpart (cifs.upcall?), at least) will need to be configured or patched to search the new location in preference over the old one.
 +
 
 +
To be more specific, processes which currently consider "FILE:/tmp/krb5cc_${UID}*" should change their search to also include "FILE:/run/user/${UID}/krb5cc*", preferably to be searched before /tmp.  Note that [[Features/KRB5DirCache]] will also require adding "DIR:/run/user/${UID}/krb5cc*" to this list, preferably either before or at the same time that files in /run/user/${UID} are being considered.
 +
 
 +
Because these processes may need to use the user's credentials in order to allow normal login to occur at all, updates to their packages should be considered to be of higher priority than updates to other packages which require changes as part of implementing this feature.
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 54: Line 58:
 
opposed to just server that accept kerberos connections), it may be
 
opposed to just server that accept kerberos connections), it may be
 
needed to add a configuration snippet in their configuration file
 
needed to add a configuration snippet in their configuration file
under /etc/tmpfiles.d so that /run/user/<username> is created with the
+
under /etc/tmpfiles.d so that /run/user/$UID is created with the
 
correct permissions (700) and user ownership.
 
correct permissions (700) and user ownership.
  
Line 60: Line 64:
 
the /etc/tmpfiles.d/httpd.conf:
 
the /etc/tmpfiles.d/httpd.conf:
  
d /var/run/user/apache   700 apache apache
+
d /var/run/user/48   700 apache apache
  
 
If you know your daemon requires a credential cache file and does not
 
If you know your daemon requires a credential cache file and does not
Line 82: Line 86:
 
-->
 
-->
  
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$USERNAME/krb5cc
+
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is either FILE:/run/user/$UID/krb5cc or has a name based on the pattern FILE:/run/user/$UID/krb5cc_XXXXXX.
2. Verify that applications such as apache (used with mod-auth_kerb) put their credential caches in /run/user/$SVCUSERNAME as well
+
  
 
== User Experience ==
 
== User Experience ==
Line 94: Line 97:
  
 
This list is not (yet) complete:
 
This list is not (yet) complete:
* sssd
+
* [https://bugzilla.redhat.com/show_bug.cgi?id=786957 sssd]
* mod_auth_kerb
+
* [https://bugzilla.redhat.com/show_bug.cgi?id=833026 pam_krb5]
* sshd
+
* [https://bugzilla.redhat.com/show_bug.cgi?id=796430 mod_auth_kerb]
* nfs-utls
+
* [https://bugzilla.redhat.com/show_bug.cgi?id=848228 sshd]
 +
* [https://bugzilla.redhat.com/show_bug.cgi?id=833024 nfs-utils]
 +
* [https://bugzilla.redhat.com/show_bug.cgi?id=848223 cifs-utils]
 +
* kstart
 +
* [https://bugzilla.redhat.com/show_bug.cgi?id=848226 krb5-appl]
 +
 
 +
For daemons that use a keytab to obtain credentials because they act as clients (as
 +
opposed to only acting as servers that accept kerberos-authenticated connections), it may be
 +
necessary to add a configuration file
 +
under /usr/lib/tmpfiles.d (or add to an existing one) so that /run/user/$UID is created with
 +
permissions (700) and user ownership suitable for use by the daemon.
 +
 
 +
For example, httpd would add the following line to
 +
the /usr/lib/tmpfiles.d/httpd.conf:
 +
 
 +
d /var/run/user/48  700 apache apache
 +
 
 +
 
 +
Some other daemons (such as rpc.gssd and sshd) are hard-coded to use, and assume that others use, locations in /tmp, and will require patching to complete this transition.
 +
 
 +
We are still investigating which packages require changes.
  
 
== Contingency Plan ==
 
== Contingency Plan ==
Line 111: Line 134:
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
* TBD
+
* Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4.
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
Line 117: Line 140:
  
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF18]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 14:56, 7 September 2012


Contents

KRB5 Credential Cache Move

Summary

This feature changes the default location of a user's Kerberos credential cache from living in /tmp/krb5cc_$UID or /tmp/krb5cc_$UID_XXXXXX to being a similarly-named file in the /run/user/$UID directory.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-07-17
  • Percentage of completion: 100%


Detailed Description

Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.


The components which obtain credentials and set up a credential cache for a user at login-time currently set $KRB5CCNAME to point to the user's credential cache, and as they change where they place the credential caches, this value will continue to be set to reflect the correct location. As a result, processes which run as part of the user's session should be expected to handle this transition automatically and without any specific modifications.


Processes which do not run as part of the user's session, but which still wish to use the credentials which belong to a given user, will need to be modified. Typically, their current practice is to search the /tmp directory for a suitably-named file which belongs to the user in question, and for each one that is found, to check if it contains unexpired credentials. These processes (rpc.gssd and its CIFS counterpart (cifs.upcall?), at least) will need to be configured or patched to search the new location in preference over the old one.

To be more specific, processes which currently consider "FILE:/tmp/krb5cc_${UID}*" should change their search to also include "FILE:/run/user/${UID}/krb5cc*", preferably to be searched before /tmp. Note that Features/KRB5DirCache will also require adding "DIR:/run/user/${UID}/krb5cc*" to this list, preferably either before or at the same time that files in /run/user/${UID} are being considered.

Because these processes may need to use the user's credentials in order to allow normal login to occur at all, updates to their packages should be considered to be of higher priority than updates to other packages which require changes as part of implementing this feature.

Benefit to Fedora

The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off.


Scope

For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snippet in their configuration file under /etc/tmpfiles.d so that /run/user/$UID is created with the correct permissions (700) and user ownership.

For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/48 700 apache apache

If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d

How To Test

1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is either FILE:/run/user/$UID/krb5cc or has a name based on the pattern FILE:/run/user/$UID/krb5cc_XXXXXX.

User Experience

The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).

Dependencies

This list is not (yet) complete:

For daemons that use a keytab to obtain credentials because they act as clients (as opposed to only acting as servers that accept kerberos-authenticated connections), it may be necessary to add a configuration file under /usr/lib/tmpfiles.d (or add to an existing one) so that /run/user/$UID is created with permissions (700) and user ownership suitable for use by the daemon.

For example, httpd would add the following line to the /usr/lib/tmpfiles.d/httpd.conf:

d /var/run/user/48 700 apache apache


Some other daemons (such as rpc.gssd and sshd) are hard-coded to use, and assume that others use, locations in /tmp, and will require patching to complete this transition.

We are still investigating which packages require changes.

Contingency Plan

Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.

Documentation

  • No relevant documentation

Release Notes

  • Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4.

Comments and Discussion