[Freeipa-devel] Session design document
Stephen Gallagher
sgallagh at redhat.com
Mon Dec 5 14:44:32 UTC 2011
On Mon, 2011-12-05 at 09:42 -0500, Dmitri Pal wrote:
> On 12/05/2011 09:33 AM, Stephen Gallagher wrote:
> > On Sat, 2011-12-03 at 14:06 -0500, Dmitri Pal wrote:
> > > On 12/01/2011 08:48 PM, Simo Sorce wrote:
> > > > On Thu, 2011-12-01 at 19:31 -0500, John Dennis wrote:
> > > > > On 12/01/2011 06:54 PM, Dmitri Pal wrote:
> > > > > > Seems reasonable. I agree with pros and cons and suggestions but I am
> > > > > > not the person to make the final approval. Simo?
> > > > > >
> > > > > > Question for John: Is there any benefit for CLI or it is for UI only?
> > > > > Currently it would benefit the UI only. That's mostly because there is
> > > > > no mechanism in the cli to cache the session ID. Adding that wouldn't be
> > > > > too difficult except for the issue of how to store the session ID
> > > > > securely, it would have to be written to a file (unlike with a browser
> > > > > which is supposed to hold session cookies in memory). Is there an
> > > > > ability to add a data item like this to the user's kerberos credential
> > > > > cache?
> > > > Yes we could create a fake key and stick the session id in it.
> > > > That was the trick we proposed using when this question was raised a few
> > > > months ago during a conference call on the matter.
> > > >
> > > > Simo.
> > > >
> > > Can we please then extend the design to include this?
> > >
> > Another approach (on Linux only) would be to have the CLI stuff the
> > session key into the kernel keyring. It would be secure and would be
> > capable of outliving the TGT life (if the session expiration is longer
> > than the TGT expiration).
>
>
> We support CLI only on Linux so this is not an issue.
> But it would not work cross multiple CLI commands as they are
> different processes and AFAIU only the process that put the data into
> the keyring would be able to fetch it unless we provide a special IPA
> shell that keeps one process and executes batch inside it.
> Am I wrong?
Yes, you are wrong :) The keyring can be configured to be limited to
either "user" or "user and a specific process ID". We do the latter in
SSSD, but that's a recent change. Previously we were restricting it only
by user.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111205/6ba975c0/attachment.sig>
More information about the Freeipa-devel
mailing list