Bug 1003043 - RFE: Add new kernel keyring type for Kerberos
RFE: Add new kernel keyring type for Kerberos
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-30 10:57 EDT by Stephen Gallagher
Modified: 2013-09-04 08:24 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-04 08:24:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2013-08-30 10:57:52 EDT
Description of problem:
In order to address issues with file-based Kerberos credential caches, we should enhance the kernel keyring interface to support newer functionality. Based on discussions between Simo, Nalin, David and myself, we propose the following behavior:

1) We will add a new key type "big_key" that allows us to create keys up to 1MiB in size, backed by internal kernel tmpfs, allowing the contents to be swapped out to disk (unlike most other keyrings, which remain in unswappable kernel memory).

2) We will create a new public interface, keyctl_get_krbcache(uid_t, key_serial_t id). This API will allow the user (and certain privileged root processes such as rpc.gssd and gss-proxy) to access the keys for a particular UID. This keyring shall not be tied to a session (so it can outlive a user on the system if they need to perform actions while not logged in, such as access to secure NFS). The kernel keyring should be created automatically on the first request if it does not yet exist. It must also be possible to manipulate the lifetime timer with functions like keyctl_set_timeout() (to align the keyring life with the credential validity) and must also be possible to be destroyed immediately using the usual keyctl APIs (such as in the kdestroy case).

Version-Release number of selected component (if applicable):
Comment 1 Josh Boyer 2013-08-30 11:24:48 EDT
(In reply to Stephen Gallagher from comment #0) 
> Version-Release number of selected component (if applicable):
> keyutils-1.5.6-1.fc20

We have a bug filed against keyutils with a title of "Add new kernel keyring type for Kerberos".  I'm going to guess that keyutils is indeed impacted, but maybe either:

1) This bug should be against the kernel and a new bug opened for keyutils that depends on this one


2) A new kernel bug is opened, this bug is marked as blocked by it, and is retitled to reflect whatever changes are needed in keyutils.
Comment 2 Josh Boyer 2013-09-03 13:25:35 EDT
Moving this to the kernel.
Comment 3 Josh Boyer 2013-09-03 14:20:43 EDT
I've added the patches required to rawhide and f20.  They were taken from here:

Comment 4 Josh Boyer 2013-09-04 08:24:18 EDT
This made today's branched repo for F20.

I'm closing this out.  If there are issues, please open new bugs.

Note You need to log in before you can comment on or make changes to this bug.