zimoch/Controls-docs
0
0
Fork 0
forked from Controls/gitea-pages
Code Pull Requests Actions Activity

add Kerberos sequence diagrams

Browse Source
This commit is contained in:
buchel_k
2022-11-02 11:23:32 +01:00
parent e42e44aac4
commit 5de6c45295
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rhel8/kerberos.md
+1 -1
View File
@@ -262,7 +262,7 @@ and providing a working TGT in these caches.
I identified so far two cases of the program flow in PAM to manage:
- **TGT delegation** as done by `sshd` with authentication method `gssapi-with-mic`, where a new cache is created by `sshd` and then filled with the delegated ticket
- **TGT creation** as done by `sss.so` upon password authentication, where a new TGT is created an placed into the `KCM` managed default cache.
- **TGT creation** as done by `pam_sss.so` upon password authentication, where a new TGT is created an placed into the `KCM` managed default cache.
Now there is no simple and bullet proof selection of where the TGT ends up in KCM.
The KCM designated default cache might it be or not.
rhel8/kerberos/kerberos_sshd_tgt_delegation.png
BIN
View File
Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 75 KiB

After

Width:  |  Height:  |  Size: 80 KiB

rhel8/kerberos/kerberos_sshd_tgt_delegation.puml
+7 -5
View File
@@ -17,23 +17,25 @@ end box
participant "systemd --user" as systemd
box KCM
participant "sssd-kcm" as sssd_kcm
participant "credential cache KCM:$UID:61555" as default_cache
participant "credential cache KCM:$UID:61555" as new_cache
participant "credential cache KCM:$UID:sitmchszro" as random_cache
end box
participant bash
user -> sshd : connects using //ssh//\nwith //GSSAPIDelegateCredentials=yes//\nand authentication method //gssapi-with-mic//
note right: authentication is done without libpam
sshd -> sssd_kcm : get default cache
sshd -> default_cache : place delegated TGT
sshd -> sssd_kcm : get new cache
create new_cache
sssd_kcm -> new_cache : create
sshd -> new_cache : place delegated TGT
sshd -> libpam : setup session
libpam -> pam_systemd : //pam_sm_open_session()//
create systemd
pam_systemd -> systemd: start if not running yet
libpam -> pam_single_kcm_cache : //pam_sm_open_session()//
pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
note right: the default cache may change in between
pam_single_kcm_cache -> default_cache: get TGT
note right: the default cache might be KCM:$UID:61555 or not
pam_single_kcm_cache -> new_cache: get TGT
pam_single_kcm_cache -> sssd_kcm : create new random cache
create random_cache
sssd_kcm -> random_cache: create