Alexander Bokovoy
2017-03-22 13:47:17 UTC
Hi,
we have a number of issues with session caching in Kerberos ccaches:
- MIT Kerberos FILE: ccache code does always append entries, so we end
up with ever growing ccache files. In KEYRING: case we are lucky that
add_key syscall actually updates the key with the same name.
- MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
cred from ccache. Corresponding functions simply return
KRB5_CC_NOSUPP;
As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache:
# strings /tmp/root.cc|grep -A3 krb5_ccache_conf_data
krb5_ccache_conf_data
fast_avail
krbtgt/***@XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
pa_type
krbtgt/***@XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188185818841; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:09:45 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188233395149; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:10:33 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188672108356; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:17:52 GMT; Secure; HttpOnly
The output above is after three successive runs.
Once we put cookie in the FILE: ccache, it cannot be removed from there
and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf()
ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred
principal name constructed out of a our conf key (X-IPA-Session_Cookie),
none of the matching logic for "most recent ticket" could be applied.
I have a workaround as https://github.com/freeipa/freeipa/pull/638 that
allows to recover in a case we are using KEYRING: ccache type and server
denies to accept our cookie -- happens within about 10-15 minutes after
last time cookie was used -- but I have no solution for FILE: ccaches.
we have a number of issues with session caching in Kerberos ccaches:
- MIT Kerberos FILE: ccache code does always append entries, so we end
up with ever growing ccache files. In KEYRING: case we are lucky that
add_key syscall actually updates the key with the same name.
- MIT Kerberos FILE: and KEYRING: ccache code does not allow to remove
cred from ccache. Corresponding functions simply return
KRB5_CC_NOSUPP;
As result, using FILE: ccache type does not allow us to override our
session cookie stored as a config entry in the ccache. Successive runs
of ipa CLI create new entries in the ccache:
# strings /tmp/root.cc|grep -A3 krb5_ccache_conf_data
krb5_ccache_conf_data
fast_avail
krbtgt/***@XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
pa_type
krbtgt/***@XS.IPA.COOL
XS.IPA.COOL
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188185818841; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:09:45 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188233395149; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:10:33 GMT; Secure; HttpOnly
--
krb5_ccache_conf_data
X-IPA-Session-Cookie
***@XS.IPA.COOL
Xipa_session=MagBearerToken=SIS%2f5GkhScWqWMQtNzbaGLSGYs6vFWQKXxHXLP46cxEOYG9sg5sNRzgfwwlzSxsTbVnOyQ7xiAdfjuvG4m9OJUL4wDRnii7c%2byrqrjgGBWPZ%2bTikH1oEUP6dhqwgMMx%2bEly0aHFekrUWNHrzxLYZlH4UclWTOYZb6DrjNMZItr2inOrhE23cMwNZRig0jE6S&expiry=1490188672108356; Domain=nyx.xs.ipa.cool; Path=/ipa; Expires=Wed, 22 Mar 2017 13:17:52 GMT; Secure; HttpOnly
The output above is after three successive runs.
Once we put cookie in the FILE: ccache, it cannot be removed from there
and cannot be replaced. Also, as retrieval code in krb5_cc_get_conf()
ends up calling krb5_cc_retrieve_cred() with 0 flags and only has a cred
principal name constructed out of a our conf key (X-IPA-Session_Cookie),
none of the matching logic for "most recent ticket" could be applied.
I have a workaround as https://github.com/freeipa/freeipa/pull/638 that
allows to recover in a case we are using KEYRING: ccache type and server
denies to accept our cookie -- happens within about 10-15 minutes after
last time cookie was used -- but I have no solution for FILE: ccaches.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code