[Freeipa-devel] Session design document

Dmitri Pal dpal at redhat.com
Mon Dec 5 14:42:03 UTC 2011 

On 12/05/2011 09:33 AM, Stephen Gallagher wrote:
> On Sat, 2011-12-03 at 14:06 -0500, Dmitri Pal wrote:
>> On 12/01/2011 08:48 PM, Simo Sorce wrote:
>>> On Thu, 2011-12-01 at 19:31 -0500, John Dennis wrote:
>>>> On 12/01/2011 06:54 PM, Dmitri Pal wrote:
>>>>> Seems reasonable. I agree with pros and cons and suggestions but I am
>>>>> not the person to make the final approval. Simo?
>>>>>
>>>>> Question for John: Is there any benefit for CLI or it is for UI only?
>>>> Currently it would benefit the UI only. That's mostly because there is 
>>>> no mechanism in the cli to cache the session ID. Adding that wouldn't be 
>>>> too difficult except for the issue of how to store the session ID 
>>>> securely, it would have to be written to a file (unlike with a browser 
>>>> which is supposed to hold session cookies in memory). Is there an 
>>>> ability to add a data item like this to the user's kerberos credential 
>>>> cache?
>>> Yes we could create a fake key and stick the session id in it.
>>> That was the trick we proposed using when this question was raised a few
>>> months ago during a conference call on the matter.
>>>
>>> Simo.
>>>
>> Can we please then extend the design to include this?
>>
> Another approach (on Linux only) would be to have the CLI stuff the
> session key into the kernel keyring. It would be secure and would be
> capable of outliving the TGT life (if the session expiration is longer
> than the TGT expiration).


We support CLI only on Linux so this is not an issue.
But it would not work cross multiple CLI commands as they are different
processes and AFAIU only the process that put the data into the keyring
would be able to fetch it unless we provide a special IPA shell that
keeps one process and executes batch inside it.
Am I wrong?


>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111205/9f8c8c60/attachment.htm>

More information about the Freeipa-devel mailing list