Re: pam module to set cifs credentials in key store

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2013-11-14 at 08:08 -0500, Jeff Layton wrote:
> On Wed, 13 Nov 2013 18:32:19 -0500
> Simo <simo@xxxxxxxxx> wrote:
> 
> > On Wed, 2013-11-13 at 15:50 -0700, Orion Poplawski wrote:
> > > On 11/13/2013 03:47 PM, Orion Poplawski wrote:
> > > > On 11/13/2013 03:34 PM, Simo wrote:
> > > >>
> > > >> Uhm doesn't this code store the user password in the clear in a key that
> > > >> is explicitly made readable to any process of the user in the same
> > > >> session ?
> > > >>
> > > >> Simo.
> > > >>
> > > >
> > > > I tried to mimic exactly what the cifscreds program does, but I may have made
> > > > a mistake.  Or perhaps cifscreds is also doing a bad thing.  The key
> > > > permissions are set to:
> > > >
> > > > #define CIFS_KEY_PERMS (KEY_POS_VIEW|KEY_POS_WRITE|KEY_POS_SEARCH| \
> > > >                          KEY_USR_VIEW|KEY_USR_WRITE|KEY_USR_SEARCH)
> > > >
> > > >
> > > 
> > > We're not setting KEY_*_READ, so one cannot read the contents of the key, IIUIC.
> > 
> > My bad, my eyes saw VIEW but read READ.
> > 
> > Simo.
> > 
> 
> Yep, and furthermore...
> 
> These keys are saved as a "logon" keytype (see kernel commit
> 9f6ed2ca257). Those are basically just like the "user" keytype except
> that there is no mechanism to report the payload to userland. So even
> if the permissions we such that you could read them, there's no way for
> the kernel to do so.
> 
> About the only way to get the password out of the kernel would be to
> poke around in /dev/mem or the equivalent. Unfortunately, there's not
> much we can do about that...

We could (reversibly) encrypt them with a key held in a TPM chip :-)

Simo.

--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux