On Thu, Oct 04, 2001 at 10:52:11AM +0100, Mayers, Philip J wrote:
> You know, that's a really rather good idea...
>
> Regards,
> Phil
>
> +------------------------------------------+
> | Phil Mayers |
> | Network & Infrastructure Group |
> | Information & Communication Technologies |
> | Imperial College |
> +------------------------------------------+
Yes, I think so too. :)
This would make proxy tickets worth using... and no TGTs need be
forwarded anywhere this way...
The SSH agent would have to support just a handful of new ops. Here's my
current dream view of it:
- store_krb5_creds(KRB_CREDS(*), primary_user_princ?(**)) : boolean
- get_krb5_creds(client_addresses, user_princ(**), target_princ) : KRB_CREDS(*)
- get_all_krb5_creds(user_princ(**)) : KRB_CREDS(*)
- destroy_all_krb5_creds(user_princ(**)) : boolean
(*) KRB_CREDS exchanged unencrypted -- the SSH channel is already
encrypted. The reason for using unencrypted KRB_CREDS as the creds
transfer format is easy: KRB_CREDS is perfect for ccache
externalization (something MIT krb5 doesn't fully implement
currently). MIT krb5 has had a hack to support making/receiving
unencrypted KRB_CREDS (for the wrong reasons) which can be leveraged
for this.
(**) The user_princ argument would optional; the primary_user_princ?
argument would indicate wether the user of the given creds is to
be the primary user of the ccache (when user_princ is not given,
then it would default to the primary user princ of the ccache).
The ccache names, for use in KRB5CCNAME, might look like:
KRB5CCNAME=SSH-AGENT
KRB5CCNAME=SSH-AGENT:some_user_princ
The first form says: "the ccache is implemented by the ssh-agent; use
the default user for that ccache". The second form says: ""the ccache
is implemented by the ssh-agent; use 'some_user_princ's creds stored
therein.
The SSH_AUTH_SOCK environment variable would be used to retrieve the
actual agent Unix socket name.
Now that OpenSSH is starting to integrate krb5 support (2.9.9 has
support for krb5 in SSHv1 -- patches exist to implement SSH w/ GSS) this
sort of thing may well have a shot.
Cheers,
Nico
> -----Original Message-----
> From: Nicolas Williams [mailto:[EMAIL PROTECTED]]
> Sent: 03 October 2001 20:31
> To: Paul B. Hill; [EMAIL PROTECTED]
> Subject: Re: Ticket stored, accessed where?
>
> It would be nice if there were an agent-type ccache for Unix, much like
> the ccapi one for Windows. Heck, the SSH ssh-agent could be a good place
> to start, particularly in view of SSH's agent forwarding feature.
>
> Nico
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
