diff --git a/rhel8/kerberos.md b/rhel8/kerberos.md index ed83e879..2cd8ffac 100644 --- a/rhel8/kerberos.md +++ b/rhel8/kerberos.md @@ -2,6 +2,7 @@ This document describes the state of Kerberos on RHEL 8. This includes the current open issues, a user guide and how we solved the KCM (Kerberos Cache Manager) issues. +At the bottom you find sequence diagrams showing the interactions concerning authentication and Kerberos. ## Open Problems @@ -272,22 +273,35 @@ Note that the reason for `systemd --user` to use the same credential cache as th The code you find in [Gitlab](https://git.psi.ch/linux-infra/pam_single_kcm_cache) where there is currently an [open merge request for the initial commit](https://git.psi.ch/linux-infra/pam_single_kcm_cache/-/merge_requests/1). I plan to make that public on Github. -### Red Hat Ticket -I have an [ticket](https://access.redhat.com/support/cases/#/case/03280446) open with Red Hat on this case. On the first part I concentrated on the missing session isolation, but it showed that this is the supposed behaviour of a KCM setup. +## Diagrams about Kerberos related Interactions -One Problem is that our machines have some non-standard software which is not covered by the support. It is YFS for AFS and NoMachine NX. +### Login with SSH using Password Authentication +![Login with SSH and Password Authentication](kerberos/kerberos_sshd_password_only.png) -Then it is not that easy to reproduce as the problem is best seen in a long running and used system. To create such a test system with several users and many expired sessions means quite some effort. +That is kind of the "common" authentication case where all important work is done in PAM. This is the same for login on the virtual console or when using `su` with password. At the end there is an shell session with a credential cache which is not used by any other session (unless the user shares it somehow manually). Like this session isolation is achieved. -I posted a few strange looking `klist` outputs and asked for explanation, but that seamed not yet to have reached someone with intimidate `sssd-kcm` knowledge. +### Login with SSH using Kerberos Authentication and TGT Delegation +![Login with SSH and Password Authentication](kerberos/kerberos_sshd_tgt_delegation.png) -I hope that sharing this document with them will help. +This is a bit simpler as all the authentication is done in `sshd` and only the session setup is done by PAM. Note that `sshd` does not use the default cache, but instead creates always a new one with the delegated TGT. -### Other Options +### Systemd User Instance -- another selfmade daemon to monitor/clean up `sssd-kcm` +In above diagrams we see how `systemd --user` is being started. It is also using PAM to setup its own session, but it does not do any authentication. -Fill in your ideas. +![Login with SSH and Password Authentication](kerberos/kerberos_systemd_user.png) + +Here we use a predefined name for the credential cache so it can be shared with the desktop sessions. The next diagram shows more in detail how `systemd --user` and the Gnome desktop interact. + +### Gnome Desktop + +This is the most complex use case: + +![Gnome Desktop](kerberos/kerberos_desktop.png) + +At the end we have a well known shared credential cache between Gnome and `systemd --user`. This is needed `systemd --user` is used extensively by Gnome. Important is that the Kerberos setup already happens at authentication phase as there is no session setup phase for screen unlock as the user returns there to an already existing session. + +With NoMachine NX this is configured similarly. ## PS There is an advanage in the broken `sssd-kcm` default cache selection: it forces us to make our stuff robust against KCM glitches, which might also occur with a better manager, just way less often and then it would be more harder to explain and to track down.