New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misc ccache fixes #1143
base: master
Are you sure you want to change the base?
Misc ccache fixes #1143
Conversation
ae7904c
to
d576555
Compare
Thanks, I'll give it a whirl when I have a chance. FYI (not sure where best to discuss this so just dropping it here), the main reason I was looking into this credential cache syntax -- other than to see whether the sqlite3 ccache was worth keeping or could be disabled to sidestep the symbol collision issues of https://gnats.NetBSD.org/57406 altogether -- was to see whether it would be reasonable to pick DIR or SCC as the default credential cache type instead of FILE so kinit could just work out of the box to log into multiple realms at the same time. Right now I do So, before spending effort on tweaking the compile-time defaults, I thought I'd test the usability of DIR and SCC caches, with whatever is the default location for them, by setting |
I skimmed through the changes, haven't processed anything yet -- but I think the most important thing here is to have extensive automatic tests for all the kinds of settings that one might find in the environment and/or krb5.conf. For the tests that are already in here, one appears to be failing:
|
Oh, it's not ready...
Ah, well, in Heimdal the FILE cache type supports collections! Try The context here is that the whole ccache collection concept that was grafted onto the krb5 API has been... somewhat unfinished this whole time, and this work is part of finishing it. Among the things that needed to be done to finish it was to teach the FILE cache type to be a collection cache type, and also to add a convention for naming sub-caches after the principals whose credentials they are intended to hold. |
I've not gotten to that yet. I don't have a lot of time or energy right now to write extensive tests, but the two tests we have of ccaches have a good enough framework for adding more. |
I see. My hope is that in NetBSD 11 (or maybe even 10) a user can just write For now, I tried the configuration and command-line option, and this is what happened:
If I set KRB5CCTYPE=DIR it seems to work a little better, although plain
I suspect that KRB5CCTYPE=DIR will have advantages over KRB5CCTYPE=FILE, by narrowing any iteration to a single directory that the user owns. |
Understood, didn't mean to direct your time! If I find time perhaps I can contribute to that. |
That's there now even for FILE! But you do have to
Ah, well, that is a bit of another story. This is known as the "credential selection problem". If one knows the target service's realm a priori (either because it was furnished by the application or because we have a local Suppose you have no relevant
and you want to authenticate to Well, we could try all the credentials in... some order. How do we make that order deterministic? And what if you don't want to use admin credentials to authenticate to that service? Keep in mind that the modern approach to determining a service's realm is to chase referrals from the client's "start realm" (i.e., the realm for which the client has a root So it's complicated. The best we could do besides trying them all in It's not just Kerberos that has this problem -- PKI, JWT, you name it, they all have this problem. And we also have a desire to support the most minimal local configuration possible -- zeroconf even. There's too many conflicts and too much mind reading to do here. |
Help would be appreciated, and we really appreciate your contributions so far! If I'm devoting some energy to this right now it's because a) I happen to need to add some functionality to Heimdal for |
Ugh. There's several problems with the |
d576555
to
f05facf
Compare
This is still a work in progress. This now includes a significant set of [untested!] fixes to the
In the process I'm upgrading SQLite3 in-tree to 3.42.0. TODO:
|
@riastradh it might be really nice to have a set of simple rules one could express for credential selection, rules of the form
I think something like that could have value, at least as a starting point. I decidedly do not have the energy or mandate to work on this. |
416d721
to
ea8a8eb
Compare
Are you sure?
Fair enough. I'll settle for working
My expectation, from blind intuition without consulting any code or standards or documentation or past heated debates from mid-1990s mailing list archives:
In case (3), I'm not sure the fine details of automagic default selection matter so much as providing a way for the user to specify a principal as the default for that realm, like I'm sure I've missed lots of issues in more complex scenarios like cross-realm setups, but presumably whatever more complex rules handle these more complex scenarios could reduce, in the simpler scenario I sketched, to easy predictable rules like the ones above. Of course, there's also a good chance that I missed some problems that are obvious to people who have been steeped in Kerberos development for ages, but I hope that if so, there's a good reason for such problems to get in the way of relatively simple scenarios, rather than simply that the rules above don't give a unique solution for more complex scenarios. (I'm somewhat deliberately being naive/obtuse here because my goal is to make easy things work predictably, rather than setting all the knobs and options to do exactly what I want each time like I used to do for many years, so I'm trying to do the obvious thing and then seeing what actually falls apart when I try it. If nothing else, I hope this results in having any difficulties with the obvious thing get documented!)
What's the harm of a DNS lookup here? I see three possible negative outcomes from it:
I certainly appreciate the desire for minimal or zero configuration, and that's what I'm aiming for too -- perhaps to ship an empty /etc/krb5.conf in NetBSD, or to safely obviate the need for having an /etc/krb5.conf at all. But I also expect that for certain purposes -- privacy of user's identity when browsing to non-kerberized sites, privacy of user's location when browsing to kerberized sites approved by the user -- some local configuration is needed. And I expect that for users juggling multiple identities within a realm, some extra interaction like Random thought: /etc/krb5.conf could start with a line saying what version it's based on and take all reasonable defaults from that version. New installations with /etc/krb5.conf created afresh with the new version line would get reasonable secure defaults without forcing users and admins to find all the obscure knobs to twiddle the right way; upgraded installations from old versions that lack a version line or still refer to an old version line wouldn't be impacted, but could be secured by updating the version line. |
ea8a8eb
to
090296d
Compare
Ugh, it used to work, and I'll be fixing it. |
fixes it, though I'll do better in a bit. |
090296d
to
5a02bf2
Compare
The new hotness is to chase referrals and never bother doing DNS domain-to-realm mapping. This means relying on KDCs' In principle you can disable referrals chasing by using
The "one with non-expired tickets" thing makes for surprises.
The point of creating a convention for naming caches in a collection after the client principal whose credentials they contain is to make it possible to just type |
Next up: fix |
5a02bf2
to
d763faf
Compare
OK, |
d763faf
to
de32049
Compare
|
When KRB5CCNAME was set (or a default ccache was set via krb5_cc_set_default_name()) don't search any other collections in krb5_cc_cache_match() or krb5_cccol_last_change_time(). Otherwise one could `kinit -c $SOME_NON_DEFAULT_CCACHE ...` and have kinit look for and find a suitable ccache in some other collection. The point of searching all collections is that if we know they're all relevant in the current context, then we can save the user (or login apps) having to set and coordinate KRB5CCNAME, which would be a significant UI/UX improvement. But we can only do that when we know that a ccache [collection] was not named either via KRB5CCNAME nor more explicitly. Well, _if_ the ccache named via KRB5CCNAME or otherwise happens to be the same as the default ccache for that cache type, then perhaps we should still search the other cache types' default collections too, but that will require more work.
…efault ccache type (fix #1124)
Calling krb5_cc_new_unique() with a non-NULL `type` argument that is not the same as the type of the default ccache (when that ccache is set via `KRB5CCNAME` or `krb5_cc_set_default_name()`) is currently surprising: it will create a ccache in the _default_ collection for the requested type, but if the user set `KRB5CCNAME` to a non-default ccache then this will be clearly not desired. To fix this we'll: a) let `krb5_cc_new_unique()` extract a collection name from its `type` argument, if present b) let `krb5_cc_new_unique()` use its `hint` argument as a collection name for the given collection `type` c) add a new `gen_new_2()` method to krb5_cc_ops that takes a collection name argument d) change all in-tree uses of `krb5_cc_new_unique()` to pas a collection name where possible TODO: - add the new `gen_new_2()` method to all in-tree cache types - change all in-tree uses of krb5_cc_new_unique() as described above - write a test
This function should be used in-tree and in ccache plugins to eliminate duplicate code and make cache name parsing more consistent so that we can have `KRB5CCNAME=<TYPE>` and `KRB5CCNAME=<TYPE>:` work consistently for all cache types and denote "use the default collection name for <TYPE>. All cache types in-tree support collections nowadays, even FILE. External cache plugins may not and need not. To support collections a cache must support the `set_default()` method of `krb5_cc_ops` -- see `krb5_cc_support_switch()`.
- Use WAL mode - Disable sync writes - Revamp the SQL schema - Replace triggers with foreign keys - Revamp scc_remove_cred() - Add scc_retrieve_cred() - When there is no default ccache, make the next one written to the default (maybe this is not a good idea?)
…one is (WIP) I've noticed that `klist -l` doesn't show which ccache is the primary one. This is fundamentally because we don't have a method for getting the primary ccache. This commit prepares for adding that.
d98e56f
to
e438cdd
Compare
Using |
Using |
SCC is not usable in Heimdal 7.8.0, and this brings a dependency on libsqlite3 into libkrb5 and therefore libgssapi, which is problematic downstream applications that have sqlite3 from pkgsrc or statically built in. SCC will undergo substantial revision in the next Heimdal version (heimdal/heimdal#1143). We can revisit later how to deal with this -- perhaps by symbol-renaming a copy of sqlite3 in Heimdal as it looks like upstream intends to do. PR lib/57406 XXX pullup-10
share/mk/bsd.prog.mk: revision 1.346 crypto/external/bsd/heimdal/sbin/kstash/Makefile: revision 1.6 share/mk/bsd.prog.mk: revision 1.347 crypto/external/bsd/heimdal/sbin/hprop/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/kdc/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/iprop-log/Makefile: revision 1.6 crypto/external/bsd/heimdal/lib/libkrb5/Makefile: revision 1.16 crypto/external/bsd/heimdal/libexec/digest-service/Makefile: revision 1.6 crypto/external/bsd/heimdal/Makefile.inc: revision 1.10 crypto/external/bsd/heimdal/Makefile.inc: revision 1.11 crypto/external/bsd/heimdal/Makefile.inc: revision 1.9 crypto/external/bsd/heimdal/libexec/kadmind/Makefile: revision 1.8 crypto/external/bsd/heimdal/lib/libhdb/Makefile: revision 1.6 crypto/external/bsd/heimdal/include/config.h: revision 1.12 crypto/external/bsd/heimdal/libexec/hpropd/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/ipropd-slave/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/ipropd-master/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/kpasswdd/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/kadmin/Makefile: revision 1.7 heimdal: Disable sqlite3 credential cache (SCC). SCC is not usable in Heimdal 7.8.0, and this brings a dependency on libsqlite3 into libkrb5 and therefore libgssapi, which is problematic downstream applications that have sqlite3 from pkgsrc or statically built in. SCC will undergo substantial revision in the next Heimdal version heimdal/heimdal#1143. We can revisit later how to deal with this -- perhaps by symbol-renaming a copy of sqlite3 in Heimdal as it looks like upstream intends to do. PR lib/57406 bsd.prog.mk: krb5 stuff no longer needs to link against sqlite3. (Why is this here? Seems like it should be a .mk fragment under crypto/external/bsd/heimdal -- that way I would have found it for the previous commit.) PR lib/57406 heimdal: No need for -lm, was only added for -lsqlite3. PR lib/57406 heimdal: Make sure whatever uses libhdb also gets libsqlite3 & libm. Loose ends for static builds in the fix for PR lib/57406.
SCC is not usable in Heimdal 7.8.0, and this brings a dependency on libsqlite3 into libkrb5 and therefore libgssapi, which is problematic downstream applications that have sqlite3 from pkgsrc or statically built in. SCC will undergo substantial revision in the next Heimdal version (heimdal/heimdal#1143). We can revisit later how to deal with this -- perhaps by symbol-renaming a copy of sqlite3 in Heimdal as it looks like upstream intends to do. PR lib/57406 XXX pullup-10
share/mk/bsd.prog.mk: revision 1.346 crypto/external/bsd/heimdal/sbin/kstash/Makefile: revision 1.6 share/mk/bsd.prog.mk: revision 1.347 crypto/external/bsd/heimdal/sbin/hprop/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/kdc/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/iprop-log/Makefile: revision 1.6 crypto/external/bsd/heimdal/lib/libkrb5/Makefile: revision 1.16 crypto/external/bsd/heimdal/libexec/digest-service/Makefile: revision 1.6 crypto/external/bsd/heimdal/Makefile.inc: revision 1.10 crypto/external/bsd/heimdal/Makefile.inc: revision 1.11 crypto/external/bsd/heimdal/Makefile.inc: revision 1.9 crypto/external/bsd/heimdal/libexec/kadmind/Makefile: revision 1.8 crypto/external/bsd/heimdal/lib/libhdb/Makefile: revision 1.6 crypto/external/bsd/heimdal/include/config.h: revision 1.12 crypto/external/bsd/heimdal/libexec/hpropd/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/ipropd-slave/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/ipropd-master/Makefile: revision 1.6 crypto/external/bsd/heimdal/libexec/kpasswdd/Makefile: revision 1.6 crypto/external/bsd/heimdal/sbin/kadmin/Makefile: revision 1.7 heimdal: Disable sqlite3 credential cache (SCC). SCC is not usable in Heimdal 7.8.0, and this brings a dependency on libsqlite3 into libkrb5 and therefore libgssapi, which is problematic downstream applications that have sqlite3 from pkgsrc or statically built in. SCC will undergo substantial revision in the next Heimdal version heimdal/heimdal#1143. We can revisit later how to deal with this -- perhaps by symbol-renaming a copy of sqlite3 in Heimdal as it looks like upstream intends to do. PR lib/57406 bsd.prog.mk: krb5 stuff no longer needs to link against sqlite3. (Why is this here? Seems like it should be a .mk fragment under crypto/external/bsd/heimdal -- that way I would have found it for the previous commit.) PR lib/57406 heimdal: No need for -lm, was only added for -lsqlite3. PR lib/57406 heimdal: Make sure whatever uses libhdb also gets libsqlite3 & libm. Loose ends for static builds in the fix for PR lib/57406.
What can be done to unwedge this branch? Some other changes are blocked on this, like #1167. I forgot what the issues were holding this one up (other than circular tuit shortage). |
@riastradh er, well, I guess I need a code review. |
[@riastradh here's a work-in-progress to fix some of the issues you turned up regarding
KRB5CCNAME
.]083c994019e
I'll mostly want to keep even if we switch to renaming the SQLite3 symbols.This PR has a bunch of things:
[libdefaults]
default_ccache_name_by_type
parameter below which are per-cache type alternative default cache nameskrb5_cc_cache_match2()
andkrb5_cccol_cursor_new2()
which take an optional collection name argument (<TYPE>:<name>
)krb5_cc_new_unique()
so that either itstype
orhint
argument can be cache names and will be used to create the new [unique] cache in the named collectionkrb5_cc_ops
with several new methods to support all of thisget_default_cache()
method ofkrb5_cc_ops
to have it return the token-expanded hard-coded default cache for that type, and adds a newget_primary_cache()
method to return the current "switched" primary cache for a given collection (this is WIP not in this PR yet)krb5_cc_new_unique()
,krb5_cc_cache_match
in-tree to do use this new featureklist
now knows thatX-RMED-CONF:
is the realm of cc config entries that have been removed and no longer shows those as>>>Expired<<<
FILE
,DIR
, andSCC
bugs galoreklist -l
output forDIR
is nice nowSCC
cache typeFOREIGN KEY
s<TYPE>:[collection][:subsidiary]
for all in-tree cache types exceptMEMORY
(which is justMEMORY:<name>
orMEMORY:anonymous
) andFILE
(which isFILE:[collection][+subsidiary]
)KRB5CCNAME
value or-c
option argument (e.g.,FILE
,DIR
, ...) and the expected default will be usedFILE:
,DIR:
, etc.tests/kdc/check-cc.in
andlib/krb5/test_cc.c
sqlite3
symbols anyways)TODO:
make check-valgrind
should be clean nowkswitch ... [cmd [args]]
, and test that intests/kdc/check-cc
or losekrb5_cc_parse_name()
TYPE:collection-name
for that type, defaulting or not the collection name as appropriatekrb5_cc_parse_name()
get_primay_name()
methods to the in-tree cache types[ ] make all in-tree cache types usekrb5_cc_parse_name()
to DRY and get more consistentkrb5_cccol_cursor_new()
tokrb5_cccol_cursor_new2()
Anything else will go into a separate PR:
fix collection cache iteration start method to take a collection name so that when iterating a non-default collection we don't end up iterating the default one insteadrethinkresolve_2()
method and splitting of subsidiary cache names upstairsDIR
andFILE
cache types, thus allowingSCC
,KCM
, andAPI
to have arbitrary subsidiary names w/o aliasing concerns)