[Freeipa-devel] Notes on server to server sasl

Simo Sorce ssorce at redhat.com
Fri Oct 31 18:49:21 UTC 2008 

On Fri, 2008-10-31 at 12:36 -0600, Rich Megginson wrote:
> Simo Sorce wrote:
> > On Fri, 2008-10-31 at 10:26 -0600, Rich Megginson wrote:
> >   
> >> Simo Sorce wrote:
> >>     
> >>> On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
> >>>
> >>>   
> >>>       
> >>>>> The credential cache contains the expiration date of the credentials,
> >>>>> you should be able to check without contacting the KDC (and we do not
> >>>>> want to contact the KDC at all, unless we need to acquire a ticket).
> >>>>>   
> >>>>>       
> >>>>>           
> >>>> So if current datetime < cred expiration datetime, then the creds are 
> >>>> ok?  No other validation needs to be done?
> >>>>     
> >>>>         
> >>> Usually it is safe to assume so.
> >>> The only exception is someone generating a new key for the service, and
> >>> replacing the service keytab instead of appending to it (so that the
> >>> older key material with the previous kvno is not longer available to the
> >>> server which cannot verify older credentials still valid).
> >>>
> >>> In this case you should get back an auth error. You may decide at this
> >>> point to discard the current ticket and try to acquire a new one.
> >>>   
> >>>       
> >> Ok.  Hmm - seems that my code will need to add some further complexity.  
> >> Right now it just takes the first entry from the server's keytab file 
> >> and uses that for authentication.  Is it possible the keytab may contain 
> >> entries that cannot/should not be used?
> >>     
> >
> > You manually parse the keytab ?
> >   
> I need a principal to pass to krb5_get_init_creds_keytab.  I do not have 
> a way for the user to specify the principal.  I need a principal that 
> actually exists in the keytab, so I use 
> krb5_kt_start_seq_get/krb5_kt_next_entry/krb5_kt_end_seq_get to iterate 
> the keytab entries, grabbing the first principal.

The principal is ldap/fqdn.of.host at DEFAULT-REALM

The default realm is easy to get with kerberos calls.
The host fqdn is what you get from gethostname()
The ldap prefix is fixed.

No matter what's in the keytab, that's your principal.
If that's not what's in the keytab it is an error anyway, clients will
never be able to reach you.

If you want to make it configurable you should have a configure option
in dse.ldif

Parsing the keytab is not a good idea IMO.

> > In a keytab you can have entries for many different services,
> For the directory server service keytab?  It will have principals other 
> than ldap/fqdn at REALM?

it may easily be a symlink to /etc/krb5.keytab and there you will
probably have at least host/fqdn at REALM, and maybe nfs/fqdn at REALM, or
something else ... do not assume what's in the keytab, there is no need
to, let the kerberos libraries handle details as much as possible.

> > as well
> > multiple entries for the same service but with different kvno.
> > The highest kvno is the newest one and should be the one to be used.
> > Older keys can be used only to accept valid tickets in the time-frame
> > that the old keys are still valid.
> >   
> eek - then how is the code supposed to know which principal to use?

See above.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list