[Freeipa-devel] [PATCH] 1024 add client session support
Rob Crittenden
rcritten at redhat.com
Tue Jun 12 18:10:16 UTC 2012
Petr Viktorin wrote:
> On 06/11/2012 06:49 PM, Martin Kosek wrote:
>> On Thu, 2012-06-07 at 22:55 -0400, Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> This adds client session support. The session key is stored in the
>>>>> kernel key ring.
>>>>>
>>>>> Your first request should go to /ipa/session/xml where it should be
>>>>> rejected with a 401. The next will go to /ipa/xml which will be
>>>>> accepted. This should all be invisible to the client.
>>>>>
>>>>> Subsequent requests should go to /ipa/session/xml which should let you
>>>>> in with the cookie.
>>>>>
>>>>> You can add the -vv option after ipa to see fully what is going on,
>>>>> e.g.
>>>>> ipa -vv user-show admin
>>>>>
>>>>> To manage your keyring use the keyctl command like:
>>>>>
>>>>> $ keyctl list @s
>>>>> 2 keys in keyring:
>>>>> 353548226: --alswrv 1000 -1 keyring: _uid.1000
>>>>> 941350591: --alswrv 1000 1000 user: ipa_session_cookie
>>>>>
>>>>> To remove a key:
>>>>>
>>>>> $ keyctl unlink 941350591 @s
>>>>>
>>>>> rob
>>>>
>>>> Hmm, this doesn't play too nice with the lite-server. Let me see if I
>>>> can track it down. The ccache is being removed, probably as part of the
>>>> session code. Sessions don't make sense with the lite server since it
>>>> uses the local ccache directly.
>>>
>>> Updated patch. Don't clean up the ccache if in the lite-server.
>>>
>>> rob
>>>
>>
>> Good job there. I tested various scenarios (2 master, fallback with SRV
>> records, old client (RHEL 6.2)) and most worked for me, but only I
>> worked under the root account. This is what I got with non-root:
>>
>> $ ipa user-show admin
>> ...
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie
>> ipa: DEBUG: stdout=113632397
>>
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: args=keyctl pupdate 113632397
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=keyctl_update: Permission denied
>> ipa: INFO: trying https://vm-131.idm.lab.bos.redhat.com/ipa/session/xml
>> ipa: DEBUG: NSSConnection init vm-131.idm.lab.bos.redhat.com
>> ipa: ERROR: cannot connect to 'any of the configured servers': ...
>>
>> Shouldn't we use @us instead of @s for storing user session keys?
>>
>>
>> Secondly, I wonder if we also plan to add some logout command? This way
>> even if I do kdestroy, the session still exist and someone other may
>> still execute commands.
>>
>> Martin
>
> Also: keyctl is in the keyutils package, which we need to depend on.
>
Nice catch, updated patch.
I also included a bit more about why I chose @s instead of @us.
Basically it is so a different shell can have a different session and
therefore a different identity.
I'm going to open a ticket for the logout. For the short-term one can do
something like:
$ keyctl purge user
Or more precisely:
$ keyctl list @s
2 keys in keyring:
353548226: --alswrv 1000 -1 keyring: _uid.1000
207626975: --alswrv 1000 1000 user: ipa_session_cookie
$ keyctl unlink 207626975
1 links removed
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1024-3-session.patch
Type: text/x-diff
Size: 28255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120612/b71ba454/attachment.bin>
More information about the Freeipa-devel
mailing list