Features/KRB5CacheMove

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Created page with "{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To rea...")
 
(Feature Name)
Line 12: Line 12:
  
 
= Feature Name <!-- The name of your feature --> =
 
= Feature Name <!-- The name of your feature --> =
 +
KRB5 Credential Cache Move
  
 
== Summary ==
 
== Summary ==
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
 +
 +
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$USERNAME/krb5cc
  
 
== Owner ==
 
== Owner ==
 
<!--This should link to your home wiki page so we know who you are-->
 
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:FASAcountName| Your Name]]
+
* Name: [[User:Sgallagh| Stephen Gallagher]]
  
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
* Email: <your email address so we can contact you, invite you to meetings, etc.>
+
* Email: sgallagh@fedoraproject.org
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]
+
* Targeted release: Fedora 18
* Last updated: (DATE)
+
* Last updated: 2012-02-23
* Percentage of completion: XX%
+
* Percentage of completion: 10%
  
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 32: Line 35:
 
== Detailed Description ==
 
== Detailed Description ==
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 +
 +
Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
 +
 +
The reason is to make credential saving a bit more predictable while at
 +
the same time avoiding races. Along the road we also gain a little bit
 +
more security by the fact that /run is a tmpfs and therefore cached
 +
credentials are automatically removed if the machine is shut off.
 +
 +
  
 
== Scope ==
 
== Scope ==
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 +
 +
For daemons that use a keytab to kinit because they act as clients (as
 +
opposed to just server that accept kerberos connections), it may be
 +
needed to add a configuration snippet in their configuration file
 +
under /etc/tmpfiles.d so that /run/user/<username> is created with the
 +
correct permissions (700) and user ownership.
 +
 +
For example, httpd would add the following line to
 +
the /etc/tmpfiles.d/httpd.conf:
 +
 +
d /var/run/user/apache  700 apache apache
 +
 +
If you know your daemon requires a credential cache file and does not
 +
specify one on its own but instead relies on the default location, then
 +
you should open a ticket in bugzilla and add the necessary configuration
 +
to tmpfiles.d
  
 
== How To Test ==
 
== How To Test ==
Line 53: Line 81:
 
3. What are the expected results of those actions?
 
3. What are the expected results of those actions?
 
-->
 
-->
 +
 +
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$USERNAME/krb5cc
 +
2. Verify that applications such as apache (used with mod-auth_kerb) put their credential caches in /run/user/$SVCUSERNAME as well
  
 
== User Experience ==
 
== User Experience ==
 
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 +
 +
The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).
  
 
== Dependencies ==
 
== Dependencies ==
 
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
 
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
 +
 +
This list is not (yet) complete:
 +
* sssd
 +
* mod_auth_kerb
 +
* sshd
 +
* nfs-utls
  
 
== Contingency Plan ==
 
== Contingency Plan ==
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 +
 +
Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.
  
 
== Documentation ==
 
== Documentation ==
 
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
*
+
* No relevant documentation
  
 
== Release Notes ==
 
== Release Notes ==
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
+
* TBD
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
+
* See [[Talk:Features/KRB5CacheMove]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
  
  

Revision as of 20:33, 23 February 2012

Important.png
Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.
Important.png
Set a Page Watch
Make sure you click watch on your new page so that you are notified of changes to it by others, including the Feature Wrangler
Note.png
All sections of this template are required for review by FESCo. If any sections are empty it will not be reviewed



Contents

Feature Name

KRB5 Credential Cache Move

Summary

This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$USERNAME/krb5cc

Owner

  • Email: sgallagh@fedoraproject.org

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-02-23
  • Percentage of completion: 10%


Detailed Description

Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.

Benefit to Fedora

The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off.


Scope

For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snippet in their configuration file under /etc/tmpfiles.d so that /run/user/<username> is created with the correct permissions (700) and user ownership.

For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/apache 700 apache apache

If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d

How To Test

1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$USERNAME/krb5cc 2. Verify that applications such as apache (used with mod-auth_kerb) put their credential caches in /run/user/$SVCUSERNAME as well

User Experience

The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).

Dependencies

This list is not (yet) complete:

  • sssd
  • mod_auth_kerb
  • sshd
  • nfs-utls

Contingency Plan

Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.

Documentation

  • No relevant documentation

Release Notes

  • TBD

Comments and Discussion