Features/KRB5CacheMove

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Moved to FeatureAcceptedF18 - feature was accepted at 2012-03-19 meeting.)
(Dependencies)
Line 89: Line 89:
 
This list is not (yet) complete:
 
This list is not (yet) complete:
 
* sssd
 
* sssd
 +
* pam_krb5
 
* mod_auth_kerb
 
* mod_auth_kerb
 
* sshd
 
* sshd

Revision as of 17:28, 1 May 2012


Contents

KRB5 Credential Cache Move

Summary

This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$USERNAME/krb5cc

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-02-23
  • Percentage of completion: 10%


Detailed Description

Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.

Benefit to Fedora

The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off.


Scope

For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snippet in their configuration file under /etc/tmpfiles.d so that /run/user/<username> is created with the correct permissions (700) and user ownership.

For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/apache 700 apache apache

If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d

How To Test

1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$USERNAME/krb5cc 2. Verify that applications such as apache (used with mod-auth_kerb) put their credential caches in /run/user/$SVCUSERNAME as well

User Experience

The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).

Dependencies

This list is not (yet) complete:

  • sssd
  • pam_krb5
  • mod_auth_kerb
  • sshd
  • nfs-utls
  • kstart


For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snipppet in their configuration file under /etc/tmpfiles.d so that /run/user/<username> is created with the correct permissions (700) and user ownership.

For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/apache 700 apache apache


Some other daemons (such as rpc.gssd and sshd) have hard-coded /tmp locations and will require patching to complete this transition.

We are still investigating which packages require changes.

Contingency Plan

Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.

Documentation

  • No relevant documentation

Release Notes

  • Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$USERNAME in order to increase security and simplify locating the caches for NFSv4.

Comments and Discussion