Template Version: @(#)sac_nextcase %I% %G% SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Kerberos CCAPI
1.2. Name of Document Author/Supplier:
Author: Shawn Emery
1.3 Date of This Document:
15 January, 2009
4. Technical Description
Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
CCAPI
1.2. Name of Document Author/Supplier:
Author: Shawn M. Emery
1.3 Date of This Document:
5 January, 2009
4. Technical Description
1. Introduction
Project will create a new credential cache type that will allow a per
session Kerberos credential cache. The CCAPI cache type will not be
the default credential cache type for normal initial authentication,
it will remain "FILE".
Per session ccaches is highly desirable for a number of reasons, but
for this particular project it is required that credentials used for
long running proccesses not interfere/overwrite credentials that are
created from normal operations such as initial authentication or
delegation.
2. Overview
- introduce CCAPI to the krb5 mech library
- support for per session ccache
- daemon for ccache in memory accross processes
- door fs for IPC between user processes and daemon
- get peer cred useful for authentication
- gssd revamp
- per user gssd
- doors fs will be new form of messaging from kernel space
- get peer cred useful for authentication
- use new CCAPI
3. Daemon
New per user daemon is proposed, ccd (credential cache daemon). ccd(1M)
contains various credential cache stores for the user. Particular
ccache stores in the daemon are referenced by the tuple
(uid, session id). The uid and session-id are ascii string characters.
session id can be configurable through libraries and environment
variable.
4. krb5 mech
The daemon is invoked through the mech_krb5 user library. The idea
is to minimally affect the invoking process when the first and only
ccd process is instantiated for the user.
The associated door file will remain open after the mech has returned.
This will provide a way of determining prior startup of the ccd process.
5. IPC
Preferred form of IPC is doors, even though MIT implementation in
Unix is domain sockets. With doors we can perform credentialling with
native functions, e.g. door_ucred(3C).
An attempt will be made to make the IPC code as portable as possible.
6. Interface table
Release Binding micro/patch
ccd Consolidation private and
created by this project.
New krb5_envvar(5) ccache type Unstable
New krb5.conf(4) ccache type stanza Evolving
7. Related CR/PSARCs
6210470 No provision for delayed execution (cron/at) for services requiring
Kerberos credentials
6618410 want pam module to authenticate by kerberos keytab
8. Manual page differences
krb5envvar.5:
@@ -43,11 +43,11 @@
Used by the mechanism to specify the location of the
credential cache. The variable can be set to the follow-
ing value:
- [[<cc type>:]<file name>]
+ [[<cc type>:]<name>]
where <cc type> can be FILE or MEMORY. <file name> is
the location of the principal's credential cache.
If KRB5CCNAME is not defined, the default value is:
@@ -75,10 +75,16 @@
The MEMORY credential cache type is used only in special
cases, such as when making a temporary cache for the
life of the invoking process.
+ The API credential cache type is a memory credential cache
+ store shared between a user's processes. This cache is
+ helpful in storing per session credentials caches. This
+ allows for the ability to have multiple default credentials
+ that are autonomous.
+
KRB5RCNAME
Used by the mechanism to specify the type and location
of the replay cache. The variable can be set to the fol-
lowing value:
krb5.conf.4:
@@ -230,10 +230,16 @@
vulnerable to DNS spoofing attacks. This parameter can
be in the [realms] section to set it on a per-realm
basis, or it can be in the [libdefaults] section to make
it a network-wide setting for all realms.
+ ccache_type
+
+ Contains the credential cache type used by the system. Valid values
+ are "file" or "ccapi". If unspecified then the default type is
"file".
+ Refer to krb5envvar(5) under KRB5CCNAME for a description of each
type.
+
[appdefaults]
This section contains subsections for Kerberos V5 applica-
tions, where relation-subsection is the name of an applica-
tion. Each subsection contains relations that define the
default behaviors for that application.
9. JGSS
JGSS will continue to only support "FILE" credential cache types at this time.
10. Resources and Schedule
10.4. Steering Committee requested information
10.4.1. Consolidation C-team Name:
ON
10.5. ARC review type: FastTrack
10.6. ARC Exposure: open
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
