Re: In-kernel Authentication Tokens (PAGs)
From: Andy Lutomirski
Date: Sat Jun 12 2004 - 10:38:35 EST
Kyle Moffett wrote:
On Jun 12, 2004, at 01:34, Andy Lutomirski wrote:
Right. But I think it would be desirable to do other things -- for
example, a program might want to forward one token over to a daemon to
do some work. It doesn't make much sense here to have a hierarchial
structure.
So you disagree with the hierarchical structure because you believe that
there are other things that are more important that conflict with it. I
see no reason why both cannot be accommodated. For me, I would really
desire a hierarchical structure because it would make it very simple to
have a token set for the entire session and one for each instance
(shell), and ones for subshells where convenient.
OK.
You want to sent a token to some daemon over a UNIX socket? Just copy
the token data and write it out to the socket, the same as if you had
some external token store (Like in MIT Kerberos) and wanted to send the
token to somewhere without the environment variables. This system would
allow several existing token cache mechanisms to be converted to this
alternative store without much work at all.
Except I'd like non-root users to have tokens that they _cannot_ read, but
that they can still pass over unix sockets. I have no objection to also
allowing user-readable tokens.
This way I could have a server with, say, a Kerberos service token such
that a compromise of the server process does not compromise the service
token. (You still have a gotcha in that the kerberosd this would require
would, for performance reasons, want to handle only ticket-granting
traffic. Still, you just mark the TGT unreadable and the individual
session tickets readable, so that the damage of a compromise is limited to
a few hours until the sessions expire.)
Yes, this would be a _lot_ more work than just blindly porting Kerberos'
ticket cache, but it has security benefits.
And I really want a good token system in Linux -- that way the OpenAFS
people will stop bitching and I might be able to use it again.
--Andy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/