From Fedora Project Wiki
(Change date format for automatic processing)
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}
<!-- {{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}-->
 
 
<!-- All fields on this form are required to be accepted by FESCo.
<!-- All fields on this form are required to be accepted by FESCo.
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->
= GSS Proxy <!-- The name of your feature --> =
= GSS Proxy <!-- The name of your feature --> =


Line 26: Line 22:


== Current status ==
== Current status ==
* Targeted release: [[Releases/18 | Fedora 18 ]]  
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Last updated: 2012/06/30
* Last updated: 2013-01-23
* Percentage of completion: 90%
* Percentage of completion: 95%


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Line 39: Line 34:
are several motivations for this some of which are:
are several motivations for this some of which are:


- Kernel-mode GSS-API applications (CIFS, NFS, AFS, ...) need to be
* Kernel-mode GSS-API applications (CIFS, NFS, AFS, ...) need to be able to leave all complexity of GSS_Init/Accept_sec_context() out of the kernel by upcalling to a daemon that does all the dirty work.
  able to leave all complexity of GSS_Init/Accept_sec_context() out of
* Isolation and privilege separation for user-mode applications. For example: letting HTTP servers use but not see the keytab entries for HTTP/* principals for accepting security contexts.
  the kernel by upcalling to a daemon that does all the dirty work.
* Possibly an ssh-agent-like SSH agent for GSS credentials -- a gss-agent.
 
- Isolation and privilege separation for user-mode applications. For
  example: letting HTTP servers use but not see the keytabe entries for
  HTTP/* principals for accepting security contexts.
 
- Possibly an ssh-agent-like SSH agent for GSS credentials -- a
  gss-agent.


In order to use the gssproxy only the gssproxy daemon has to be started at boottime. Once this is done, the GSSAPI mechglue library will make sure all GSSAPI calls issued by an application are directed to the gssproxy service transparently. Depending on the configuration of the system, the gssproxy daemon will then allow or disallow access to cryptographic keys stored in keytabs on the system.
In order to use the gssproxy only the gssproxy daemon has to be started at boottime. Once this is done, the GSSAPI mechglue library will make sure all GSSAPI calls issued by an application are directed to the gssproxy service transparently. Depending on the configuration of the system, the gssproxy daemon will then allow or disallow access to cryptographic keys stored in keytabs on the system.


Two major features that are planned to be achieved for Fedora19:
* rpc.gssd, the NFS client application, should be enabled to use the gssproxy. It will be possible to aquire tickets for kerberized NFS mounts given user keytabs.
* gssproxy will offer Kerberos ticket renewal when user keytabs are available


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 57: Line 48:


The key benefit for Fedora will be that we can provide more fine grained control over controlling access of applications to highly sensible cryptographic key material (keytabs). This in general improves security on the system.
The key benefit for Fedora will be that we can provide more fine grained control over controlling access of applications to highly sensible cryptographic key material (keytabs). This in general improves security on the system.
== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Line 93: Line 83:


The kernel will use the gssproxy interface.
The kernel will use the gssproxy interface.


== Contingency Plan ==
== Contingency Plan ==
Line 102: Line 91:
== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
* Currently there is only Protocol Documentation available online: [https://fedorahosted.org/gss-proxy/].
 
* The gssproxy project wiki page of the MIT Consortium: [http://k5wiki.kerberos.org/wiki/Projects/ProxyGSSAPI]
* Protocol Documentation is available online as well: [https://fedorahosted.org/gss-proxy/].


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
* gssproxy is an opensource project that aims to improve GSSAPI usage from both the kernel (for authenticating remote file system access) as well as user-space applications. It does provide fine-grained access control on Kerberos keytab access and it overcomes various limitations the kernel had when dealing with Kerberos tickets.


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/Your_Feature_Name]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/gssproxy]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->




[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF19]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 12:10, 28 February 2013

GSS Proxy

Summary

The main purpose of this project is to replace rpc.svcgssd(8), the server-side rpcsec_gss daemon.

The gss-proxy consists of a standardized RPC protocol, a client and server implementation with other future components. The gss-proxy protocol allows proxying of GSSAPI initiation and authentication.

Owner

  • Email: <ssorce@redhat.com>

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-01-23
  • Percentage of completion: 95%

Detailed Description

The goal is to have a GSS-API proxy, with standardizable protocol and a [somewhat portable] reference client and server implementation. There are several motivations for this some of which are:

  • Kernel-mode GSS-API applications (CIFS, NFS, AFS, ...) need to be able to leave all complexity of GSS_Init/Accept_sec_context() out of the kernel by upcalling to a daemon that does all the dirty work.
  • Isolation and privilege separation for user-mode applications. For example: letting HTTP servers use but not see the keytab entries for HTTP/* principals for accepting security contexts.
  • Possibly an ssh-agent-like SSH agent for GSS credentials -- a gss-agent.

In order to use the gssproxy only the gssproxy daemon has to be started at boottime. Once this is done, the GSSAPI mechglue library will make sure all GSSAPI calls issued by an application are directed to the gssproxy service transparently. Depending on the configuration of the system, the gssproxy daemon will then allow or disallow access to cryptographic keys stored in keytabs on the system.

Two major features that are planned to be achieved for Fedora19:

  • rpc.gssd, the NFS client application, should be enabled to use the gssproxy. It will be possible to aquire tickets for kerberized NFS mounts given user keytabs.
  • gssproxy will offer Kerberos ticket renewal when user keytabs are available

Benefit to Fedora

The key benefit for Fedora will be that we can provide more fine grained control over controlling access of applications to highly sensible cryptographic key material (keytabs). This in general improves security on the system.

Scope

Work on the GSSAPI mechglue library is in progress but is currently not finished.

In order to properly load our mechglue library, some modifications to the system GSSAPI/Kerberos library (MIT) are required. Work on this has well progressed and is coordinated with upstream (MIT).

How To Test

Currently we use a test program (shipped with the main tarball) in order to do basic testing of our implementation. Once the mechglue interface is in place, any tests done for the GSSAPI interface itself would allow to test the gssproxy as well.

For the current testing you need to have a working KDC, one needs to create a keytab and gssproxy needs to be properly installed and configured.

User Experience

The usage of the gssproxy protocol and implementation is completely transparent for the user. Also applications do not need to be modified in order to benefit from the gssproxy.

Dependencies

The kernel will use the gssproxy interface.

Contingency Plan

In case the gssproxy is not complete by the end of the final development freeze, Fedora can just decide to not ship it.

Documentation

  • The gssproxy project wiki page of the MIT Consortium: [1]
  • Protocol Documentation is available online as well: [2].

Release Notes

  • gssproxy is an opensource project that aims to improve GSSAPI usage from both the kernel (for authenticating remote file system access) as well as user-space applications. It does provide fine-grained access control on Kerberos keytab access and it overcomes various limitations the kernel had when dealing with Kerberos tickets.

Comments and Discussion