Re: In-kernel Authentication Tokens (PAGs)

From: Andy Lutomirski
Date: Sat Jun 12 2004 - 10:38:35 EST

Next message: Tim Schmielau: "[patch] BSD accounting format rework (testers wanted!)"
Previous message: Ramy M. Hassan: "kswapd problem"
In reply to: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kyle Moffett wrote:

On Jun 12, 2004, at 01:34, Andy Lutomirski wrote:

Right. But I think it would be desirable to do other things -- for example, a program might want to forward one token over to a daemon to do some work. It doesn't make much sense here to have a hierarchial structure.

So you disagree with the hierarchical structure because you believe that there are other things that are more important that conflict with it. I see no reason why both cannot be accommodated. For me, I would really desire a hierarchical structure because it would make it very simple to have a token set for the entire session and one for each instance (shell), and ones for subshells where convenient.

OK.

You want to sent a token to some daemon over a UNIX socket? Just copy the token data and write it out to the socket, the same as if you had some external token store (Like in MIT Kerberos) and wanted to send the token to somewhere without the environment variables. This system would allow several existing token cache mechanisms to be converted to this alternative store without much work at all.

Except I'd like non-root users to have tokens that they _cannot_ read, but that they can still pass over unix sockets. I have no objection to also allowing user-readable tokens.

This way I could have a server with, say, a Kerberos service token such that a compromise of the server process does not compromise the service token. (You still have a gotcha in that the kerberosd this would require would, for performance reasons, want to handle only ticket-granting traffic. Still, you just mark the TGT unreadable and the individual session tickets readable, so that the damage of a compromise is limited to a few hours until the sessions expire.)

Yes, this would be a _lot_ more work than just blindly porting Kerberos' ticket cache, but it has security benefits.

And I really want a good token system in Linux -- that way the OpenAFS people will stop bitching and I might be able to use it again.

--Andy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tim Schmielau: "[patch] BSD accounting format rework (testers wanted!)"
Previous message: Ramy M. Hassan: "kswapd problem"
In reply to: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]