Learn more about these different git repos.
Other Git URLs
Currently, SSSD is only capable of extending a user's kerberos tickets as long as there is renewable time remaining on the ticket. We have had many users over the years request the ability to have SSSD retain the user's credentials outside of the user session for use in cron jobs which may take place well outside of the user's login period.
We acknowledge that this represents an implicit security complication. With the user ticket being effectively eternal, the window of potential attack is significantly wider. Additionally, this action is implicitly violating the KDC administrator's restrictions on the length of ticket validity.
That being said, there is nothing preventing this from happening today (and many of our users are implementing workarounds to this effect). By building this feature into SSSD and using the kernel keyring, we can at least minimize the impact by limiting the possible access to the credentials (and avoiding the need for a plaintext file on the disk).
I envision this behaving as follows:
When discussing this on IRC, I originally thought to use the periodic task API for this, but I suspect that the need to handle offline events specially will leave us using regular timers instead.
This is what GSS proxy is for. I do not think we should do it in SSSD. If you have jobs that need to run unattended you can do it using a special application account. We also talked with Simo about ability to allow one account have more than one key so that you can use GSS proxy with user keytab while user can login in using his password. There is a corresponding ticket on the IPA side.
I suggest we defer it not close this ticket.
I don't think that's a good idea. By supporting two keys for the user, you're doubling the attack surface. Furthermore, by keeping the user credentials in a keytab on the system, you're making it very easy for anyone who has gained root access to steal the credentials (whereas with careful use of the kernel keyring, we can make it very hard to gain access to the keys).
I'm adding Simo as a CC on this ticket so he can comment as well.
cc: => simo
May be this is why we did not rush to suggest to implement it. So that leaves GSS proxy as the primary solution.
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred rhbz: => todo
We made a decision to use kernel keyring as a storage for kerberos ccache to overcome the problem of creating user owned directory for user to store the cache that exists in Fedora 19. We are pulling this ticket in.
milestone: SSSD Deferred => SSSD 1.10.2
milestone: SSSD 1.10.2 => NEEDS_TRIAGE
milestone: NEEDS_TRIAGE => SSSD Deferred
Metadata Update from @sgallagh: - Issue set to the milestone: SSSD Patches welcome
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3032
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.