1003043 – RFE: Add new kernel keyring type for Kerberos

Bug 1003043 - RFE: Add new kernel keyring type for Kerberos

Summary: RFE: Add new kernel keyring type for Kerberos

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	20
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-30 14:57 UTC by Stephen Gallagher
Modified:	2013-09-04 12:24 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-04 12:24:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Gallagher 2013-08-30 14:57:52 UTC

Description of problem:
In order to address issues with file-based Kerberos credential caches, we should enhance the kernel keyring interface to support newer functionality. Based on discussions between Simo, Nalin, David and myself, we propose the following behavior:

1) We will add a new key type "big_key" that allows us to create keys up to 1MiB in size, backed by internal kernel tmpfs, allowing the contents to be swapped out to disk (unlike most other keyrings, which remain in unswappable kernel memory).

2) We will create a new public interface, keyctl_get_krbcache(uid_t, key_serial_t id). This API will allow the user (and certain privileged root processes such as rpc.gssd and gss-proxy) to access the keys for a particular UID. This keyring shall not be tied to a session (so it can outlive a user on the system if they need to perform actions while not logged in, such as access to secure NFS). The kernel keyring should be created automatically on the first request if it does not yet exist. It must also be possible to manipulate the lifetime timer with functions like keyctl_set_timeout() (to align the keyring life with the credential validity) and must also be possible to be destroyed immediately using the usual keyctl APIs (such as in the kdestroy case).


Version-Release number of selected component (if applicable):
keyutils-1.5.6-1.fc20

Comment 1 Josh Boyer 2013-08-30 15:24:48 UTC

(In reply to Stephen Gallagher from comment #0) 
> Version-Release number of selected component (if applicable):
> keyutils-1.5.6-1.fc20

We have a bug filed against keyutils with a title of "Add new kernel keyring type for Kerberos".  I'm going to guess that keyutils is indeed impacted, but maybe either:

1) This bug should be against the kernel and a new bug opened for keyutils that depends on this one

or

2) A new kernel bug is opened, this bug is marked as blocked by it, and is retitled to reflect whatever changes are needed in keyutils.

Comment 2 Josh Boyer 2013-09-03 17:25:35 UTC

Moving this to the kernel.

Comment 3 Josh Boyer 2013-09-03 18:20:43 UTC

I've added the patches required to rawhide and f20.  They were taken from here:

http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-devel

Comment 4 Josh Boyer 2013-09-04 12:24:18 UTC

This made today's branched repo for F20.

I'm closing this out.  If there are issues, please open new bugs.

Note You need to log in before you can comment on or make changes to this bug.