Solaris ssh pam_krb

Jeffrey Hutzelman jhutz at cmu.edu
Mon Apr 3 13:23:48 EDT 2006 


On Monday, April 03, 2006 11:11:14 AM -0500 Nicolas Williams 
<Nicolas.Williams at sun.com> wrote:

> Let's uplevel a bit.
>
> To me PAGs provide a useful distinction between processes in some sort
> of session, sharing some common characteristics, one that is better than
> environment variables in that it is easily (cheaply) observable from the
> IPC peers.
>
> PAGs have, for me, at least these uses:
>
>  - As an Identity Selection Problem tool.

Yes.

>  - As a link from cred_t to user-land that can be used to "extend"
>    cred_t.

Yes.

>  - As a better point for tracking extant references to network
>    authentication credentials than UIDs.

It's unclear to me what you mean here.



> PAGs, like group memberships, do not, IMO, make a good access control on
> process tracing, and they are orthogonal to [local] filesystem access
> controls.  It would be rather surprising if one could not trace/debug
> one's processes from different login sessions.

It would not be surprising if that's what you were expecting.  But let's 
leave the issue of paranoid people aside for a moment, on concentrate on 
PAG's as an identity selection mechanism.  You're right; that's essentially 
how they are used in AFS today, though in a roundabout way.  Essentially, 
we use PAG's to separate management and use of credentials between 
sessions.  So a user can have multiple sessions with different PAG's, and 
they don't interfere with each other.  He can create a new PAG and set 
credentials for a different identity, and processes in the new PAG get the 
new identity while processes in the old PAG get the old one.

Now, the issue is that when you're talking about a caching distributed 
filesystem, your identity affects not only what credentials are used to 
establish connections to fileservers on your behalf, but also what you are 
allowed to do with cached data and connections.  For example...

The first time I try to read a file from a given server, the AFS client 
will establish a connection to the fileserver on my behalf, using my 
credentials.  Now, established connections are not expensive, but 
establishing them is, so the client caches open connections.  The next time 
I try to access a file on that server, it uses my cached connection, even 
if the access is from a different process.  However, if I access a file on 
that server from a different PAG, a new connection must be established, 
because the new PAG might have different credentials (or none at all).  If 
the client fails to separate connections by PAG in this fashion, then it 
becomes impossible to use PAG's for identity selection wrt the filesystem, 
because you can't be assured that file accesses will actually happen with 
the credentials you selected.

In addition, the cache manager has to cache access rights associated with 
files, so that it can cache my private files without giving you access to 
them, but still keep only one copy of files to which we both have access 
(this is particularly important for consistency if we both have _write_ 
access).  Like cached connections, cached access rights data needs to be 
indexed by PAG, not by UID; otherwise processes in a new PAG get access to 
files they shouldn't, or don't get access to files they should, and 
identity selection breaks.


Now, the thing that makes PAG's more than just identity selection is that 
you can't arbitrarily select a PAG -- you can use the one you have, or ask 
for a new (empty) one, but you can't pick up one arbitrarily and use it. 
Now, I know this has no real security value as long as it is trivial to 
cross PAG boundaries, but the people who are really paranoid will do 
something about it, perhaps by disabling tracing altogether (along with 
dtrace, and the ability to load kernel modules or touch kernel memory in 
any way, etc, etc, etc).

Interestinly, while PAG's don't directly provide process group separate, it 
occurs to me that given the ability for in-kernel code to determine a 
process's PAG, they could be used to _implement_ stronger session 
separation.  I don't know enough about the internals of Solaris, but I bet 
I could write a security module for Linux that did exactly this, using AFS 
PAG's.

But again, process group separation isn't really the point.
The point, for AFS, is making identity selection work.

-- Jeff

More information about the Kerberos mailing list