[Freeipa-devel] [PATCH] 1024 add client session support
Petr Viktorin
pviktori at redhat.com
Tue Jun 12 14:11:31 UTC 2012
On 06/11/2012 06:49 PM, Martin Kosek wrote:
> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>> This adds client session support. The session key is stored in the
>>>> kernel key ring.
>>>>
>>>> Your first request should go to /ipa/session/xml where it should be
>>>> rejected with a 401. The next will go to /ipa/xml which will be
>>>> accepted. This should all be invisible to the client.
>>>>
>>>> Subsequent requests should go to /ipa/session/xml which should let you
>>>> in with the cookie.
>>>>
>>>> You can add the -vv option after ipa to see fully what is going on, e.g.
>>>> ipa -vv user-show admin
>>>>
>>>> To manage your keyring use the keyctl command like:
>>>>
>>>> $ keyctl list @s
>>>> 2 keys in keyring:
>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000
>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie
>>>>
>>>> To remove a key:
>>>>
>>>> $ keyctl unlink 941350591 @s
>>>>
>>>> rob
>>>
>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I
>>> can track it down. The ccache is being removed, probably as part of the
>>> session code. Sessions don't make sense with the lite server since it
>>> uses the local ccache directly.
>>
>> Updated patch. Don't clean up the ccache if in the lite-server.
>>
>> rob
>>
>
> Good job there. I tested various scenarios (2 master, fallback with SRV
> records, old client (RHEL 6.2)) and most worked for me, but only I
> worked under the root account. This is what I got with non-root:
>
> $ ipa user-show admin
> ...
> ipa: DEBUG: stderr=
> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie
> ipa: DEBUG: stdout=113632397
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: args=keyctl pupdate 113632397
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_update: Permission denied
> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml
> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com
> ipa: ERROR: cannot connect to 'any of the configured servers': ...
>
> Shouldn't we use @us instead of @s for storing user session keys?
>
>
> Secondly, I wonder if we also plan to add some logout command? This way
> even if I do kdestroy, the session still exist and someone other may
> still execute commands.
>
> Martin
Also: keyctl is in the keyutils package, which we need to depend on.
--
Petr³
More information about the Freeipa-devel
mailing list