From Fedora Project Wiki

< Features

Revision as of 21:40, 14 August 2012 by Nalin (talk | contribs) (→‎Scope)


KRB5 DIR: Credential Caches

Summary

Kerberos 1.10 added a new cache storage type, DIR: which allows Kerberos to maintain TGTs for multiple KDCs simultaneously and auto-select between them when negotiating with Kerberized resources. Fedora should switch to using the DIR: cache format over the older FILE: cache format to support accessing multiple Kerberos realms.

Owner

  • Email: sgallagh@redhat.com

Current status

  • Targeted release: Fedora 18
  • Last updated: Sgallagh 15:49, 07 August 2012 (UTC)
  • Percentage of completion: 75%
    • All work is complete on the SSSD portion of this.
    • pam_krb5 is still pending. Expected to land in time for Alpha freeze.
    • GNOME Online Accounts work is ready upstream but hasn't landed yet in Fedora. Should be ready for Alpha


Detailed Description

Support of multiple Kerberos realms is a critical feature and has been one of the most-requested enhancements of Kerberos. Having the ability to acquire a single-sign-on credential for other realms without traditional hurdles will allow users to set up environments such as: 1) Log on to their local machine using their corporate Kerberos environment, acquiring that TGT. 2) Present credentials and acquire a ticket for their partner's environment and be able to access resources in both without additional steps.

In conjunction with Features/KRB5CacheMove, this directory containing credential caches will be located at /run/user/$UID/krb5cc. A per-session credential cache should be able to be matched by globbing for /run/user/$UID/krb5cc*.

Benefit to Fedora

The basics are described in the Detailed Description section. Other potential benefits would be that it would make it simpler to eventually migrate the Fedora development infrastructure to use Kerberos. One of the major hurdles to this effort has always been that it would be difficult for users who already sign in to Kerberos environments to also work in Fedora. With this capability added, that's one fewer roadblock to this conversion.

Users will be able to set up NFSv4 mounts to file servers in multiple Kerberos realms.

Scope

Multiple packages will need to be updated to support this, though the changes to those packages in many cases will be limited. The necessary functionality is already available in the kerberos libraries provided by the 'krb5' package.

  • krb5: Will need to change the default configuration to specify DIR: caches instead of FILE: caches
  • SSSD: Will need to add support for the DIR: caches internally. See https://fedorahosted.org/sssd/ticket/974
  • pam_krb5: Will need to be able to create DIR: caches during login
  • gssd (nfs-utils): Will need to be updated to understand the DIR: cache structure (work will overlap 90% with Features/KRB5CacheMove)
  • GNOME (optional): Can be updated to support additional Kerberos realms as "Online Accounts" (similar to the Google Accounts currently supported)
  • krb5-auth-dialog: Will need to have DIR: cache support added. GNOME project may be absorbing this functionality

How To Test

Some testing will be easily handled by the use of the 'klist' and 'kinit' command-line functions. We will also want to test GSSD/NFSv4 setups using multiple realms.

User Experience

Users will be able to log into multiple Kerberos realms simultaneously. If the GNOME features are also added in time, they will have a graphical interface for credential acquisition.

Dependencies

  • Features/KRB5CacheMove - This is not a strict dependency, but they are closely interconnected.
  • krb5
  • sssd
  • pam_krb5
  • sshd
  • nfs-utils
  • cifs-utils
  • gnome-*

Contingency Plan

Kerberos still retains support for the current FILE: caches. We can revert the default configurations back to using that and everything should work fine.

Documentation

Release Notes

  • Fedora's Kerberos support will now allow users to maintain credentials for multiple identities and for the GSSAPI client code to automatically select credentials based on the target service and hostname.

Comments and Discussion