[Freeipa-devel] [PATCH] 1024 add client session support
Martin Kosek
mkosek at redhat.com
Wed Jun 13 07:19:50 UTC 2012
On Tue, 2012-06-12 at 14:10 -0400, Rob Crittenden wrote:
> Petr Viktorin wrote:
> > On 06/11/2012 06:49 PM, Martin Kosek wrote:
> >> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote:
> >>> Rob Crittenden wrote:
> >>>> Rob Crittenden wrote:
> >>>>> This adds client session support. The session key is stored in the
> >>>>> kernel key ring.
> >>>>>
> >>>>> Your first request should go to /ipa/session/xml where it should be
> >>>>> rejected with a 401. The next will go to /ipa/xml which will be
> >>>>> accepted. This should all be invisible to the client.
> >>>>>
> >>>>> Subsequent requests should go to /ipa/session/xml which should let you
> >>>>> in with the cookie.
> >>>>>
> >>>>> You can add the -vv option after ipa to see fully what is going on,
> >>>>> e.g.
> >>>>> ipa -vv user-show admin
> >>>>>
> >>>>> To manage your keyring use the keyctl command like:
> >>>>>
> >>>>> $ keyctl list @s
> >>>>> 2 keys in keyring:
> >>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000
> >>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie
> >>>>>
> >>>>> To remove a key:
> >>>>>
> >>>>> $ keyctl unlink 941350591 @s
> >>>>>
> >>>>> rob
> >>>>
> >>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I
> >>>> can track it down. The ccache is being removed, probably as part of the
> >>>> session code. Sessions don't make sense with the lite server since it
> >>>> uses the local ccache directly.
> >>>
> >>> Updated patch. Don't clean up the ccache if in the lite-server.
> >>>
> >>> rob
> >>>
> >>
> >> Good job there. I tested various scenarios (2 master, fallback with SRV
> >> records, old client (RHEL 6.2)) and most worked for me, but only I
> >> worked under the root account. This is what I got with non-root:
> >>
> >> $ ipa user-show admin
> >> ...
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie
> >> ipa: DEBUG: stdout=113632397
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: args=keyctl pupdate 113632397
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=keyctl_update: Permission denied
> >> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml
> >> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com
> >> ipa: ERROR: cannot connect to 'any of the configured servers': ...
> >>
> >> Shouldn't we use @us instead of @s for storing user session keys?
> >>
> >>
> >> Secondly, I wonder if we also plan to add some logout command? This way
> >> even if I do kdestroy, the session still exist and someone other may
> >> still execute commands.
> >>
> >> Martin
> >
> > Also: keyctl is in the keyutils package, which we need to depend on.
> >
>
> Nice catch, updated patch.
Thanks. It just needs rebasing (conflicts with pushed password change
capability).
>
> I also included a bit more about why I chose @s instead of @us.
> Basically it is so a different shell can have a different session and
> therefore a different identity.
Hm, personally I am not sure why I would want to have to different
identity in different shell, maybe for custom scripts?
There is a disadvantage for using @s over @us though. This use case will
fail:
# kinit admin
Password for admin at IDM.LAB.BOS.REDHAT.COM:
# ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 384000000
GID: 384000000
Account disabled: False
Password: True
Member of groups: admins, trust admins
Kerberos keys available: True
# su admin
$ kinit admin
Password for admin at IDM.LAB.BOS.REDHAT.COM:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'any of the configured servers':
https://vm-021.idm.lab.bos.redhat.com/ipa/session/xml,
https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml
This fails because the session under "su" does not have a permission to
update the key. Btw this worked for me when I used @us instead of @s.
>
> I'm going to open a ticket for the logout. For the short-term one can do
> something like:
>
> $ keyctl purge user
>
> Or more precisely:
>
> $ keyctl list @s
> 2 keys in keyring:
> 353548226: --alswrv 1000 -1 keyring: _uid.1000
> 207626975: --alswrv 1000 1000 user: ipa_session_cookie
> $ keyctl unlink 207626975
> 1 links removed
Ok, I think this is fine for now.
Martin
More information about the Freeipa-devel
mailing list