Are non-FILE credential caches supported?

Marcin Cieslak saper at saper.info
Thu Mar 15 09:55:57 CET 2018


Hello,

There is a bug report (https://github.com/heimdal/heimdal/issues/355) saying
that using FILE: credential cache designator does not work. Interestingly enough,
it works for me (FreeBSD 11.1, heimdal 7.5.0 from FreeBSD ports).

Trying to use other cache types causes strange errors though:

With /home/saper/.krb5cc directory existing an attempt to set in /etc/krb5.conf

[libdefaults]
	default_cc_name = DIR:/home/saper/.krb5cc

cauces kinit crash because we explicitly pass NULL to dcc_resolve() in dcache.c:362:

% gdb /usr/local/bin/kinit
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
(gdb) run
Starting program: /usr/local/bin/kinit 

Program received signal SIGSEGV, Segmentation fault.
dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc")
    at dcache.c:362
362	    (*id)->data.data = dc;
Current language:  auto; currently minimal
(gdb) bt
#0  dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc")
    at dcache.c:362
#1  0x0000000800ee9d0d in dcc_get_cache_first (context=0x803846000, cursor=0x8038421f8)
    at dcache.c:568
#2  0x0000000800ed4799 in krb5_cc_cache_get_first (context=0x803846000, 
    type=0x800f3f4e4 "DIR", cursor=0x8038421d8) at cache.c:1145
#3  0x0000000800ed4c42 in krb5_cccol_cursor_next (context=0x803846000, 
    cursor=0x8038421d0, cache=0x7fffffffe1f8) at cache.c:1532
#4  0x0000000800ed48f0 in krb5_cc_cache_match (context=0x803846000, 
    client=0x8038353a0, id=0x7fffffffe3c8) at cache.c:1227
#5  0x0000000000403cc1 in main (argc=0, argv=0x7fffffffe870) at kinit.c:1315

Looking at the code it seems to me that "DIR" ccache type is simply not implemented.

With
	default_cc_name = SCC:/home/saper/krb5cc.sqlite

it is even more intersting.

kinit seems to ignore the file part and always creates SCC:/tmp/krb5scc_%{uid}:

% ls -l /tmp/krb5scc_169 
-rw-------  1 saper  wheel  20480 22 lut 22:32 /tmp/krb5scc_169
saper at poniatowski:~ % sqlite3 /tmp/krb5scc_169
SQLite version 3.21.0 2017-10-24 18:55:49
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE master (oid INTEGER PRIMARY KEY,version INTEGER NOT NULL,defaultcache TEXT NOT NULL);
CREATE TABLE caches (oid INTEGER PRIMARY KEY,principal TEXT,name TEXT NOT NULL);
CREATE TABLE credentials (oid INTEGER PRIMARY KEY,cid INTEGER NOT NULL,kvno INTEGER NOT NULL,etype INTEGER NOT NULL,created_at INTEGER NOT NULL,cred BLOB NOT NULL);
CREATE TABLE principals (oid INTEGER PRIMARY KEY,principal TEXT NOT NULL,type INTEGER NOT NULL,credential_id INTEGER NOT NULL);
CREATE TRIGGER CacheDropCreds AFTER DELETE ON caches FOR EACH ROW BEGIN DELETE FROM credentials WHERE cid=old.oid;END;
CREATE TRIGGER credDropPrincipal AFTER DELETE ON credentials FOR EACH ROW BEGIN DELETE FROM principals WHERE credential_id=old.oid;END;

but "klist" is not so smart:

% /usr/local/bin/klist
klist: krb5_cc_get_principal: No principal for cache SCC:/home/saper/krb5cc.sqlite:/tmp/krb5scc_169

but klist -A seems to somehow work:

% /usr/local/bin/klist -A
Credentials cache: SCC:unique-0x803849000
        Principal: saper at MYDOMAIN.ORG

  Issued                Expires               Principal
Feb 22 22:32:57 2018  Feb 23 22:32:57 2018  krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG

Some records seem to be written to /tmp/krb5cc_169 database, but
kdestroy does not seem to remove them, though (it exists silently).

I am looking for a possibility to store multiple tickets from many realms independently -
I've been using DIR ccache with MIT Kerberos quite successfully.

Is there any credential cache other than FILE working with Heimdal?

FreeBSD-specific note:

This is Heimdal 7.5.0 installed from ports, that's why /usr/local/bin/{kinit,kdestroy,list}
commands are used; FreeBSD base comes with Heimdal 1.5.2, but port tools are properly linked
with 7.5.0 libraries, so I don't think there's any hiccup here.

% ldd /usr/local/bin/kinit
/usr/local/bin/kinit:
	libkafs.so.0 => /usr/local/lib/heimdal/libkafs.so.0 (0x80082a000)
	libheimbase.so.1 => /usr/local/lib/heimdal/libheimbase.so.1 (0x800a34000)
	libhx509.so.5 => /usr/local/lib/heimdal/libhx509.so.5 (0x800c48000)
	libkrb5.so.26 => /usr/local/lib/heimdal/libkrb5.so.26 (0x800ea6000)
	libheimntlm.so.0 => /usr/local/lib/heimdal/libheimntlm.so.0 (0x80115e000)
	libwind.so.0 => /usr/local/lib/heimdal/libwind.so.0 (0x801369000)
	libhcrypto.so.4 => /usr/local/lib/heimdal/libhcrypto.so.4 (0x801592000)
	libasn1.so.8 => /usr/local/lib/heimdal/libasn1.so.8 (0x8017e2000)
	libcom_err.so.1 => /usr/local/lib/heimdal/libcom_err.so.1 (0x801ad4000)
	libroken.so.18 => /usr/local/lib/heimdal/libroken.so.18 (0x801cd9000)
	libsqlite3.so.0 => /usr/local/lib/libsqlite3.so.0 (0x801ef2000)
	libcrypto.so.8 => /lib/libcrypto.so.8 (0x802400000)
	libintl.so.8 => /usr/local/lib/libintl.so.8 (0x802869000)
	libcrypt.so.5 => /lib/libcrypt.so.5 (0x802a73000)
	libthr.so.3 => /lib/libthr.so.3 (0x802c92000)
	libc.so.7 => /lib/libc.so.7 (0x802eba000)
	libm.so.5 => /lib/libm.so.5 (0x803272000)

Marcin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20180315/c5318244/attachment.bin>


More information about the Heimdal-discuss mailing list