(Switch to /run/user/UID) |
|||
| Line 10: | Line 10: | ||
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | <!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | ||
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$ | This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$UID/krb5cc | ||
== Owner == | == Owner == | ||
| Line 22: | Line 22: | ||
== Current status == | == Current status == | ||
* Targeted release: Fedora 18 | * Targeted release: Fedora 18 | ||
* Last updated: 2012- | * Last updated: 2012-06-15 | ||
* Percentage of completion: | * Percentage of completion: 75% | ||
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | ||
| Line 48: | Line 48: | ||
opposed to just server that accept kerberos connections), it may be | opposed to just server that accept kerberos connections), it may be | ||
needed to add a configuration snippet in their configuration file | needed to add a configuration snippet in their configuration file | ||
under /etc/tmpfiles.d so that /run/user/ | under /etc/tmpfiles.d so that /run/user/$UID is created with the | ||
correct permissions (700) and user ownership. | correct permissions (700) and user ownership. | ||
| Line 54: | Line 54: | ||
the /etc/tmpfiles.d/httpd.conf: | the /etc/tmpfiles.d/httpd.conf: | ||
d /var/run/user/ | d /var/run/user/48 700 apache apache | ||
If you know your daemon requires a credential cache file and does not | If you know your daemon requires a credential cache file and does not | ||
| Line 76: | Line 76: | ||
--> | --> | ||
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$ | 1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$UID/krb5cc | ||
== User Experience == | == User Experience == | ||
| Line 99: | Line 98: | ||
opposed to just server that accept kerberos connections), it may be | opposed to just server that accept kerberos connections), it may be | ||
needed to add a configuration snipppet in their configuration file | needed to add a configuration snipppet in their configuration file | ||
under /etc/tmpfiles.d so that /run/user/ | under /etc/tmpfiles.d so that /run/user/$UID is created with the | ||
correct permissions (700) and user ownership. | correct permissions (700) and user ownership. | ||
| Line 105: | Line 104: | ||
the /etc/tmpfiles.d/httpd.conf: | the /etc/tmpfiles.d/httpd.conf: | ||
d /var/run/user/ | d /var/run/user/48 700 apache apache | ||
| Line 124: | Line 123: | ||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | ||
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | ||
* Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$ | * Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4. | ||
== Comments and Discussion == | == Comments and Discussion == | ||
Revision as of 18:26, 15 June 2012
KRB5 Credential Cache Move
Summary
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$UID/krb5cc
Owner
- Name: Stephen Gallagher
- Email: sgallagh@fedoraproject.org
- Name: Dan Walsh
- Email: dwalsh@fedoraproject.org
Current status
- Targeted release: Fedora 18
- Last updated: 2012-06-15
- Percentage of completion: 75%
Detailed Description
Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.
Benefit to Fedora
The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off.
Scope
For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snippet in their configuration file under /etc/tmpfiles.d so that /run/user/$UID is created with the correct permissions (700) and user ownership.
For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:
d /var/run/user/48 700 apache apache
If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d
How To Test
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$UID/krb5cc
User Experience
The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).
Dependencies
This list is not (yet) complete:
- sssd
- pam_krb5
- mod_auth_kerb
- sshd
- nfs-utls
- kstart
For daemons that use a keytab to kinit because they act as clients (as
opposed to just server that accept kerberos connections), it may be
needed to add a configuration snipppet in their configuration file
under /etc/tmpfiles.d so that /run/user/$UID is created with the
correct permissions (700) and user ownership.
For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:
d /var/run/user/48 700 apache apache
Some other daemons (such as rpc.gssd and sshd) have hard-coded /tmp locations and will require patching to complete this transition.
We are still investigating which packages require changes.
Contingency Plan
Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.
Documentation
- No relevant documentation
Release Notes
- Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4.