No edit summary |
(Fix ccdir name) |
||
| Line 10: | Line 10: | ||
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | <!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | ||
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$UID/ | This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$UID/ccdir | ||
== Owner == | == Owner == | ||
| Line 76: | Line 76: | ||
--> | --> | ||
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$UID/ | 1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$UID/ccdir | ||
== User Experience == | == User Experience == | ||
Revision as of 18:51, 7 August 2012
KRB5 Credential Cache Move
Summary
This Feature changes the default location of Kerberos credential cache from living in /tmp/krb5cc_UID_XXXXXX to being /run/user/$UID/ccdir
Owner
- Name: Stephen Gallagher
- Email: sgallagh@fedoraproject.org
- Name: Dan Walsh
- Email: dwalsh@fedoraproject.org
Current status
- Targeted release: Fedora 18
- Last updated: 2012-07-17
- Percentage of completion: 100%
Detailed Description
Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.
Benefit to Fedora
The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit more security by the fact that /run is a tmpfs and therefore cached credentials are automatically removed if the machine is shut off.
Scope
For daemons that use a keytab to kinit because they act as clients (as opposed to just server that accept kerberos connections), it may be needed to add a configuration snippet in their configuration file under /etc/tmpfiles.d so that /run/user/$UID is created with the correct permissions (700) and user ownership.
For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:
d /var/run/user/48 700 apache apache
If you know your daemon requires a credential cache file and does not specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration to tmpfiles.d
How To Test
1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is FILE:/run/user/$UID/ccdir
User Experience
The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).
Dependencies
This list is not (yet) complete:
- sssd
- pam_krb5
- mod_auth_kerb
- sshd
- nfs-utls
- kstart
For daemons that use a keytab to kinit because they act as clients (as
opposed to just server that accept kerberos connections), it may be
needed to add a configuration snipppet in their configuration file
under /etc/tmpfiles.d so that /run/user/$UID is created with the
correct permissions (700) and user ownership.
For example, httpd would add the following line to the /etc/tmpfiles.d/httpd.conf:
d /var/run/user/48 700 apache apache
Some other daemons (such as rpc.gssd and sshd) have hard-coded /tmp locations and will require patching to complete this transition.
We are still investigating which packages require changes.
Contingency Plan
Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.
Documentation
- No relevant documentation
Release Notes
- Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4.