Re: [PATCH 2/2] cifs-utils: infrastructure for stashing passwords in keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 20 Aug 2010 11:45:14 +0400
Igor Druzhinin <jaxbrigs@xxxxxxxxx> wrote:

> It is a userspace part of a new infrastructure for stashing passwords
> in kernel keyring per user basis. The patch adds the "cifscreds"
> utility for management keys with credentials. Assembling of the utility
> from the distribution is possible with --enable-cifscreds=yes option of
> configure script.
> 
> Signed-off-by: Igor Druzhinin <jaxbrigs@xxxxxxxxx>


I've started dusting off this work with the aim of extending multiuser
mount code to non-krb5 mounts. While doing this, I've found a couple of
problems...

The current scheme is to store a key with this description:

    cifscreds:<ip>:<username>:[domainname]

The first problem is that the username shouldn't be part of the
description. We don't necessarily know what the username will be in
advance. It may be different from the local unix username. So I think
we need to eliminate the "username" part from the description and
instead store that name in the "payload". We should probably also encode
the port number be part of the address for situations where the host
has multiple smb servers with different credential DB's.

The second problem is that "ip" and "domainname" should basically be
mutually exclusive. IOW, someone ought to specify an ip address for
which the credentials are valid, or specify credentials that will work
for any machine that's in a particular domain.

So, I think we need 2 key description formats:

    cifscreds:address+port

...and...

    cifscreds:domain

...and the username and password should be stored together in the value
part of the key.

Then, the kernel's algorithm can look something like this:

1) see if there are credentials for the IP address (and maybe port)
with which we are communicating

...if those don't exist...

2) see if there are credentials for the domain that the server claims
to be part of

Does this make sense? If so, then I'll start work on a patchset to
change this over (unless you would rather do the work).

Thanks,
-- 
Jeff Layton <jlayton@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux