[Freeipa-devel] Summary of Session discussion

Adam Young ayoung at redhat.com
Thu May 26 18:47:09 UTC 2011 

On 05/26/2011 02:01 PM, Simo Sorce wrote:
> On Thu, 2011-05-26 at 12:53 -0400, Adam Young wrote:
>> There are four cases where we've discussed using sessions for
>> optimizations.  During today's phone discussion we analysed them.
>>
>> 1.  Avoiding the negotiate round trip.
>>
>> Requesting a page protected by Kerberos requires two round trips to the
>> server:  1 for the initializ request, which gets denied with the
>> negotiate challenge, and one for the negotiate response.  mod_auth_kerb
>> can fall back to userid/password.  THe suggestion was t hat we allow
>> mod_auth_kerb to set a session cookie after a successful negotiate
>> request.  Future requests can use that cookie to bypass the negotiate
>> handshake.  The problem with this approach is NFS home directories,
> Can you expand the reasoning about NFS home directories ?

As Stephen Gallagher points out, Secure cookies are held in memory, not 
on disk.  However, the ipa client is a complete process, and it would 
need to be able to store the cookie somewhere for CLI to use.

>>   and
>> root users being able to get  access to the session cookies, allowing a
>> replay attack.
> Root can simply steal your TGT, that is not a concern we have any reason
> to raise here.

I might have root on a machine that can mount via NFS, and thus allow me 
to su to your account, and get read access to your home directory.  I 
don't need root on your machine.  BBut again, only an issue if the 
session cookie got written to disk, which shouldn't happen with session 
cookies.
>>    Note that this is a problem with the userid/password
>> fall-back as well.  We are not going to pursue this right now.
> We are not going to pursue using sessions ? Or concerning ourselves with
> these issues ? :)

I think we are not going to pursue the mod_auth_kerb streamlining I 
outline, at least not in the short term.  An additional issue is getting 
the update to mod_auth_kerb accepted.  I'd say we can purse this in 
parallel, as I think it will be a valuable performance optimisation, but 
it does not have to be part of the IPA work per-se.

>> 2.  Caching the service ticket.  Once the http request has gone through,
>> the ipa web server needs to request a service ticket for LDAP.  If the
>> session contained the service ticket, the could be bypassed for
>> additional requests.  Since the request has to be validated by Kerberos
>> for the initial negotiate call, there is no additional loss of security
>> in caching the ticket.
> Indeed.
>
>>       A potential alternative to server side caching is for the client to
>> request the service ticket and send it in the negotiate handshake.
>> There is some question as to whether the web server would be able to
>> acces this ticket, and also whether the client can somehow request a
>> ticket that the server can use, and still comply with the Kerberos
>> standards.
> This should be possible, but there is no client that can do that right
> now, and changing clients is simply out of our reach in most cases.
Yes, and thus we are not going to pursue that approach.

>> 3.  File Upload.  Session time out provides a means to automate the
>> clean up of files that might otherwise be orphaned.
> What kind of files ?
Certificates and automount maps are the two we've discussed recently.

>> 4.  Windowing search results.  the 'find' APIs as implemented by LDAP
>> limit the responses to 200 records by default.  One request we've had is
>> to provide sorting and windowing.  Windowing here is defined as, for a
>> sorted response, return a delimited number of records starting at an
>> offset greater than 0. The LDAP implementation requires the equivalent
>> of a cursor from the requester, in this case the Apache server.  To
>> maintain association between the user and the cursor, the cursor
>> identifier would be stored in the session.   Implementing this correctly
>> will require further design.  It will likely be done in the future.
> The cursor need also to be associated to a specific query, cannot be
> just a session-global variable.
Agreed.  It means that subsequent API calls can reuse a specific 
query.    But we want it to be optional, or there would be significant 
overhead, and thus we'll postpone this approach for now.


>> In summary, the caching of the service ticket alone provides a
>> compelling reason to implement sessions.  File upload will take
>> advantage of them.  Other uses may be found over time.
> Very good, thanks for taking up on this analysis task.
>
> Simo.
>

More information about the Freeipa-devel mailing list