kernel key ring usage ETA ?

[Guillaume Rousse]

Kevin Coffman wrote:
> On 3/22/07, Guillaume Rousse <Guillaume.Rousse at inria.fr> wrote:
>> Hello.
>>
>> I'm reading in the FAQ (and also in other documents) than there is an
>> intended switch to use kernel to store gss credentials, instead of file,
>> which causes some security issues currently. When is this planned ? Is
>> this already available in kernel patches from
>> http://www.citi.umich.edu/projects/nfsv4/linux/kernel-patches/ ?
> 
> My intention is to get it completed and available ASAP.
> 
> I'm curious what security issues you have with storing credentials in
> the file system.
In my tests, I've been able to access user file from root account on a
client after an user autenticated himself from the same client, even
after this one deleted his ticket through kdestroy. I thought it was
defeating the assumption than you no longer need to trust root users
client accounts. And from FAQ questions n°5 (root account using machine
credentials) and n°6 (persistence of credentials after removal of ticket
through kdestroy), I understood it was a temporary limitation, supposed
to change with the switch to kernel keyring.

> The current design of the keyring stuff allows credentials to live
> "wherever" and the keyring is used by gssd as a way to locate the
> correct credentials to use when creating a context.  There is an
> option to store the actual credentials themselves in the keyring
> (there is a keyring credentials cache implementation in MIT Kerberos
> 1.6), but it is not required.
> 
> To partially address your other message, there is no plan to make use
> of keyrings on the server.
I now realize than my file access succeded only because I made my tests
from a single client. And next implementation won't change much: root
user account on a client will still be able to hijack credentials of
users on the same client, as you can't hide those anyway to
privilegiated user.

As long as root users from other clients can't, everything is fine.