[Freeipa-devel] [PATCH] 1024 add client session support
Martin Kosek
mkosek at redhat.com
Mon Jun 11 16:49:42 UTC 2012
On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> This adds client session support. The session key is stored in the
> >> kernel key ring.
> >>
> >> Your first request should go to /ipa/session/xml where it should be
> >> rejected with a 401. The next will go to /ipa/xml which will be
> >> accepted. This should all be invisible to the client.
> >>
> >> Subsequent requests should go to /ipa/session/xml which should let you
> >> in with the cookie.
> >>
> >> You can add the -vv option after ipa to see fully what is going on, e.g.
> >> ipa -vv user-show admin
> >>
> >> To manage your keyring use the keyctl command like:
> >>
> >> $ keyctl list @s
> >> 2 keys in keyring:
> >> 353548226: --alswrv 1000 -1 keyring: _uid.1000
> >> 941350591: --alswrv 1000 1000 user: ipa_session_cookie
> >>
> >> To remove a key:
> >>
> >> $ keyctl unlink 941350591 @s
> >>
> >> rob
> >
> > Hmm, this doesn't play too nice with the lite-server. Let me see if I
> > can track it down. The ccache is being removed, probably as part of the
> > session code. Sessions don't make sense with the lite server since it
> > uses the local ccache directly.
>
> Updated patch. Don't clean up the ccache if in the lite-server.
>
> rob
>
Good job there. I tested various scenarios (2 master, fallback with SRV
records, old client (RHEL 6.2)) and most worked for me, but only I
worked under the root account. This is what I got with non-root:
$ ipa user-show admin
...
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl search @s user ipa_session_cookie
ipa: DEBUG: stdout=113632397
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl pupdate 113632397
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_update: Permission denied
ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml
ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com
ipa: ERROR: cannot connect to 'any of the configured servers': ...
Shouldn't we use @us instead of @s for storing user session keys?
Secondly, I wonder if we also plan to add some logout command? This way
even if I do kdestroy, the session still exist and someone other may
still execute commands.
Martin
More information about the Freeipa-devel
mailing list