add Kerberos sequence diagrams

rhel8/kerberos/kerberos_desktop.puml

@@ -0,0 +1,97 @@
+@startuml
+
+title 
+    **Desktop Authentication**
+    Needs a shared credential cache with //systemd --user// as it is used to start some processes
+    and the TGT needs to be updated on reauthentication when unlocking the screen.
+end title
+
+actor user
+box gdm
+    participant gdm
+    participant libpam
+    participant "pam_sssd.so" as pam_sssd
+    participant "pam_systemd.so" as pam_systemd
+    participant "pam_single_kcm_cache.so" as pam_single_kcm_cache
+end box
+participant sssd
+participant "systemd --user" as systemd
+box KCM
+    participant "sssd-kcm" as sssd_kcm
+    participant "credential cache KCM:$UID:61555" as default_cache
+    participant "credential cache KCM:$UID:desktop" as shared_cache
+end box
+box Gnome
+participant "gnome-session-binary" as gnome_session
+participant "gnome-shell" as gnome_shell
+participant Firefox as firefox
+participant "gnome-terminal" as gnome_terminal
+end box
+box Active Directory
+    participant KDC as kdc
+end box
+
+== authentication ==
+user -> gdm : authenticates with password
+gdm -> libpam : authenticate user
+libpam -> pam_sssd : //pam_sm_setcred()//
+pam_sssd -> sssd : authenticate
+sssd -> kdc : authenticate and get TGT
+sssd -> sssd_kcm : get default cache
+sssd -> default_cache : place TGT
+libpam -> pam_single_kcm_cache : //pam_sm_setcred()//
+pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
+note right: the default cache may change in between
+pam_single_kcm_cache -> default_cache: get TGT
+pam_single_kcm_cache -> sssd_kcm : create new shared cache if it does not exist yet
+create shared_cache
+sssd_kcm -> shared_cache: create
+pam_single_kcm_cache -> shared_cache: place newest TGT
+pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:desktop//
+
+gdm -> libpam : setup session
+libpam -> pam_systemd : //pam_sm_open_session()//
+create systemd
+pam_systemd -> systemd: start if not running yet
+
+== starting the desktop ==
+create gnome_session
+gdm -> gnome_session : start Gnome session
+gnome_session -> systemd : start some Gnome services
+gnome_session -> gnome_session: start more Gnome services
+create gnome_shell
+gnome_session -> gnome_shell: start Gnome Shell
+
+== starting programs ==
+user -> gnome_shell: open browser
+create firefox
+gnome_shell -> firefox : start
+
+user -> gnome_shell : open terminal
+gnome_shell -> systemd: start gnome-terminal
+create gnome_terminal
+systemd -> gnome_terminal: start
+
+== screen lock and unlock ==
+user -> gnome_shell : lock screen
+gnome_shell -> gdm : lock screen
+
+user -> gdm : authenticates with password
+gdm -> libpam : authenticate user
+libpam -> pam_sssd : //pam_sm_setcred()//
+pam_sssd -> sssd : authenticate
+sssd -> kdc : authenticate and get TGT
+sssd -> sssd_kcm : get default cache
+sssd -> default_cache : place TGT
+libpam -> pam_single_kcm_cache : //pam_sm_setcred()//
+pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
+note right: the default cache may change in between
+pam_single_kcm_cache -> default_cache: get TGT
+pam_single_kcm_cache -> sssd_kcm : get shared cache
+pam_single_kcm_cache -> shared_cache: place newest TGT
+note over gdm : no session setup step
+gdm -> gnome_shell : screen unlocked
+
+@enduml
+
+

rhel8/kerberos/kerberos_sshd_password_only.puml

@@ -0,0 +1,54 @@
+@startuml
+
+title 
+    **SSH with Password Authentication**
+    Provide every shell session an individual and isolated credential cache in KCM.
+end title
+hide footbox
+
+actor user
+box sshd
+    participant sshd
+    participant libpam
+    participant "pam_sssd.so" as pam_sssd
+    participant "pam_systemd.so" as pam_systemd
+    participant "pam_single_kcm_cache.so" as pam_single_kcm_cache
+end box
+participant sssd
+participant "systemd --user" as systemd
+box KCM
+    participant "sssd-kcm" as sssd_kcm
+    participant "credential cache KCM:$UID:61555" as default_cache
+    participant "credential cache KCM:$UID:sitmchszro" as random_cache
+end box
+participant bash
+box Active Directory
+    participant KDC as kdc
+end box
+
+user -> sshd : connects using //ssh//\nwith authentication method //password//
+sshd -> libpam : authenticate user
+libpam -> pam_sssd : //pam_sm_setcred()//
+pam_sssd -> sssd : authenticate
+sssd -> kdc : authenticate and get TGT
+sssd -> sssd_kcm : get default cache
+sssd -> default_cache : place TGT
+sshd -> libpam : setup session
+libpam -> pam_systemd : //pam_sm_open_session()//
+create systemd
+pam_systemd -> systemd: start if not running yet
+libpam -> pam_single_kcm_cache : //pam_sm_open_session()//
+pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
+note right: the default cache may change in between
+pam_single_kcm_cache -> default_cache: get TGT
+pam_single_kcm_cache -> sssd_kcm : create new random cache
+create random_cache
+sssd_kcm -> random_cache: create
+pam_single_kcm_cache -> random_cache: place newest TGT
+pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:sitmchszro//
+create bash
+sshd -> bash : start
+
+@enduml
+
+

rhel8/kerberos/kerberos_sshd_tgt_delegation.puml

@@ -0,0 +1,47 @@
+@startuml
+
+title 
+    **SSH with TGT Delegation**
+    Provide every shell session an individual and isolated credential cache in KCM.
+end title
+hide footbox
+
+actor user
+box sshd
+    participant sshd
+
+    participant libpam
+    participant "pam_systemd.so" as pam_systemd
+    participant "pam_single_kcm_cache.so" as pam_single_kcm_cache
+end box
+participant "systemd --user" as systemd
+box KCM
+    participant "sssd-kcm" as sssd_kcm
+    participant "credential cache KCM:$UID:61555" as default_cache
+    participant "credential cache KCM:$UID:sitmchszro" as random_cache
+end box
+participant bash
+
+user -> sshd : connects using //ssh//\nwith //GSSAPIDelegateCredentials=yes//\nand authentication method //gssapi-with-mic//
+note right: authentication is done without libpam
+sshd -> sssd_kcm : get default cache
+sshd -> default_cache : place delegated TGT
+sshd -> libpam : setup session
+libpam -> pam_systemd : //pam_sm_open_session()//
+create systemd
+pam_systemd -> systemd: start if not running yet
+libpam -> pam_single_kcm_cache : //pam_sm_open_session()//
+pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
+note right: the default cache may change in between
+pam_single_kcm_cache -> default_cache: get TGT
+pam_single_kcm_cache -> sssd_kcm : create new random cache
+create random_cache
+sssd_kcm -> random_cache: create
+pam_single_kcm_cache -> random_cache: place newest TGT
+pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:sitmchszro//
+create bash
+sshd -> bash : start
+
+@enduml
+
+

rhel8/kerberos/kerberos_systemd_user.puml

@@ -0,0 +1,35 @@
+@startuml
+
+title 
+    **Startup of Systemd User Instance**
+    One single //systemd --user// instance spans from the start of the first session
+    to the end of the last session and has access to the same credential cache as the desktop.
+end title
+hide footbox
+
+box Systemd User Instance
+    participant "systemd --user" as systemd
+    participant libpam
+    participant "pam_single_kcm_cache.so" as pam_single_kcm_cache
+end box
+box KCM
+    participant "sssd-kcm" as sssd_kcm
+    participant "credential cache KCM:$UID:61555" as default_cache
+    participant "credential cache KCM:$UID:desktop" as shared_cache
+end box
+
+note over systemd : no authentication step
+systemd -> libpam : setup session
+libpam -> pam_single_kcm_cache : //pam_sm_open_session()//
+pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
+note right: the default cache may change in between
+pam_single_kcm_cache -> default_cache: get TGT
+pam_single_kcm_cache -> sssd_kcm : create shared cache if not yet exists
+create shared_cache
+sssd_kcm -> shared_cache: create
+pam_single_kcm_cache -> shared_cache: place newest TGT
+pam_single_kcm_cache -> libpam: set //KRB5CCNAME=KCM:$UID:desktop//
+
+@enduml
+
+