Template Version: @(#)sac_nextcase %I% %G% SMI This information is Copyright 2009 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: Kerberos CCAPI 1.2. Name of Document Author/Supplier: Author: Shawn Emery 1.3 Date of This Document: 15 January, 2009 4. Technical Description Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI This information is Copyright 2009 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: CCAPI 1.2. Name of Document Author/Supplier: Author: Shawn M. Emery 1.3 Date of This Document: 5 January, 2009 4. Technical Description
1. Introduction Project will create a new credential cache type that will allow a per session Kerberos credential cache. The CCAPI cache type will not be the default credential cache type for normal initial authentication, it will remain "FILE". Per session ccaches is highly desirable for a number of reasons, but for this particular project it is required that credentials used for long running proccesses not interfere/overwrite credentials that are created from normal operations such as initial authentication or delegation. 2. Overview - introduce CCAPI to the krb5 mech library - support for per session ccache - daemon for ccache in memory accross processes - door fs for IPC between user processes and daemon - get peer cred useful for authentication - gssd revamp - per user gssd - doors fs will be new form of messaging from kernel space - get peer cred useful for authentication - use new CCAPI 3. Daemon New per user daemon is proposed, ccd (credential cache daemon). ccd(1M) contains various credential cache stores for the user. Particular ccache stores in the daemon are referenced by the tuple (uid, session id). The uid and session-id are ascii string characters. session id can be configurable through libraries and environment variable. 4. krb5 mech The daemon is invoked through the mech_krb5 user library. The idea is to minimally affect the invoking process when the first and only ccd process is instantiated for the user. The associated door file will remain open after the mech has returned. This will provide a way of determining prior startup of the ccd process. 5. IPC Preferred form of IPC is doors, even though MIT implementation in Unix is domain sockets. With doors we can perform credentialling with native functions, e.g. door_ucred(3C). An attempt will be made to make the IPC code as portable as possible. 6. Interface table Release Binding micro/patch ccd Consolidation private and created by this project. New krb5_envvar(5) ccache type Unstable New krb5.conf(4) ccache type stanza Evolving 7. Related CR/PSARCs 6210470 No provision for delayed execution (cron/at) for services requiring Kerberos credentials 6618410 want pam module to authenticate by kerberos keytab 8. Manual page differences krb5envvar.5: @@ -43,11 +43,11 @@ Used by the mechanism to specify the location of the credential cache. The variable can be set to the follow- ing value: - [[<cc type>:]<file name>] + [[<cc type>:]<name>] where <cc type> can be FILE or MEMORY. <file name> is the location of the principal's credential cache. If KRB5CCNAME is not defined, the default value is: @@ -75,10 +75,16 @@ The MEMORY credential cache type is used only in special cases, such as when making a temporary cache for the life of the invoking process. + The API credential cache type is a memory credential cache + store shared between a user's processes. This cache is + helpful in storing per session credentials caches. This + allows for the ability to have multiple default credentials + that are autonomous. + KRB5RCNAME Used by the mechanism to specify the type and location of the replay cache. The variable can be set to the fol- lowing value: krb5.conf.4: @@ -230,10 +230,16 @@ vulnerable to DNS spoofing attacks. This parameter can be in the [realms] section to set it on a per-realm basis, or it can be in the [libdefaults] section to make it a network-wide setting for all realms. + ccache_type + + Contains the credential cache type used by the system. Valid values + are "file" or "ccapi". If unspecified then the default type is "file". + Refer to krb5envvar(5) under KRB5CCNAME for a description of each type. + [appdefaults] This section contains subsections for Kerberos V5 applica- tions, where relation-subsection is the name of an applica- tion. Each subsection contains relations that define the default behaviors for that application. 9. JGSS JGSS will continue to only support "FILE" credential cache types at this time. 10. Resources and Schedule 10.4. Steering Committee requested information 10.4.1. Consolidation C-team Name: ON 10.5. ARC review type: FastTrack 10.6. ARC Exposure: open 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ON 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open