Skip Menu |
 

Subject: Windows: Add new krb5_ccache type MSLSA: for read-only access to MS Credential Cache
Our experience has shown that end users who attempt to make use of the
MS Kerberos LSA cache in their applications inevitably get it wrong.
Especially because the behavior of the LSA is slightly different on
each of the different operating systems. We have seen many people
copying/pasting code from src/windows/ms2mit.c into their apps where
it cannot be readily fixed when problems arise. We have a similar
problem in that both KfW Leashw32.dll and ms2mit.exe both have to share
similar code. For 1.3.2 we will create a new krb5_ccache type which
can be used for credential access from ms2mit.exe, leashw32.dll, and
end user applications.
From: jaltman@mit.edu
Subject: CVS Commit
Download (untitled) / with headers
text/plain 2.9KiB
* Added new krb5_ccache type "MSLSA" for Windows only.
This new ccache type provides an interface for the MIT krb5_cc api
functions to be used to access the contents of the MS Kerberos LSA
cache. The ccache type is read-only because the MS Kerberos LSA
does not allow third party applications to insert credentials into
the cache.

The primary motivation of this work was to encapsulate the complex
operations necessary to manipulate the MS Kerberos LSA. The code
was far from trivial and was often implemented incorrectly. Worse
still was the fact that each version of Windows since W2K modified
the use of the LSA API.

The code which was originally donated in the form of ms2mit.c had
many memory and handle leaks which were acceptable for a one time
application such as ms2mit.c. Unfortunately, this code has started
to appear in many other applications: KfW's Leash, the AFS Wake
systray tool, and others.

By using the new MSLSA ccache the implementation of ms2mit.c went
from 890 lines to 50 lines of code and comments. All that is necessary
is for the MSLSA ccache to be resolved and for its contents to be
copied with krb5_cc_copy_creds to the default ccache.

The MSLSA ccache implements all of the functions of a ccache except
those which would be used to store data into the ccache. When a
write attempt is performed the new error KRB5_CC_READONLY is returned.

The residual portion of the MSLSA ccache name is current ignored
but preserved. If you ask for ccache "MSLSA:myname" you will be
given access to the LSA cache for the current Logon Session. If
you later ask for the name of the ccache you will be returned the
same name. In the future, the residual might be used to provide
information necessary to identify a specific logon session whose
cache it is desired to access. If this is ever done, the applications
which use it will have to possess the SeTcbPrivilege privilege.

Using KfW's Leash it is now possible to set the Krb5 credential
cache to "MSLSA:" and use it to monitor the contents of the
MS Kerberos LSA cache.

As part of adding this functionality, krb5_32.dll is not linked
against the "secur32.lib" library as the Lsa security sdk routines
are stored in the SECUR32.DLL file.


To generate a diff of this commit:



cvs diff -r1.127 -r1.128 krb5/src/lib/ChangeLog
cvs diff -r1.77 -r1.78 krb5/src/lib/Makefile.in
cvs diff -r5.86 -r5.87 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r1.53 -r1.54 krb5/src/lib/krb5/ccache/Makefile.in
cvs diff -r5.21 -r5.22 krb5/src/lib/krb5/ccache/ccbase.c
cvs diff -r5.95 -r5.96 krb5/src/lib/krb5/error_tables/ChangeLog
cvs diff -r5.73 -r5.74 krb5/src/lib/krb5/error_tables/krb5_err.et
cvs diff -r1.6 -r1.7 krb5/src/windows/ms2mit/ChangeLog
cvs diff -r1.3 -r1.4 krb5/src/windows/ms2mit/Makefile.in
cvs diff -r1.5 -r1.6 krb5/src/windows/ms2mit/ms2mit.c
cvs diff -r0 -r5.1 krb5/src/lib/krb5/ccache/cc_mslsa.c
Date: Fri, 12 Dec 2003 16:34:42 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2049] CVS Commit
RT-Send-Cc:



Show quoted text
>
> As part of adding this functionality, krb5_32.dll is not linked
^^^

Is this not or now?


Show quoted text
> against the "secur32.lib" library as the Lsa security sdk routines
> are stored in the SECUR32.DLL file.
>
>

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Date: Fri, 12 Dec 2003 17:37:14 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@MIT.EDU
Subject: Re: [krbdev.mit.edu #2049] CVS Commit
RT-Send-Cc:
What a typo. It is "now" ...

DEEngert@anl.gov via RT wrote:

Show quoted text
>> As part of adding this functionality, krb5_32.dll is not linked
>>
>>
> ^^^
>
>Is this not or now?
>
>
>
>
>> against the "secur32.lib" library as the Lsa security sdk routines
>> are stored in the SECUR32.DLL file.
>>
>>
>>
>>
>
>
>
Download smime.p7s
application/x-pkcs7-signature 3.3KiB

Message body not shown because it is not plain text.

From: tlyu@mit.edu
Subject: CVS Commit
* Makefile.in: Move ##WIN32## constructs from inside
backslash-continued lists, as it was breaking them. Move explicit
dependency information from under automatic dependencies.


To generate a diff of this commit:



cvs diff -r5.87 -r5.88 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r1.54 -r1.55 krb5/src/lib/krb5/ccache/Makefile.in
From: jaltman@mit.edu
Subject: CVS Commit
* Makefile.in: remove extraneous spaces from ##WIN32## commented
defines for MSLSA_OBJ and MSLSA_SRC


To generate a diff of this commit:



cvs diff -r1.55 -r1.56 krb5/src/lib/krb5/ccache/Makefile.in
From: jaltman@mit.edu
Subject: CVS Commit
* Makefile.in: Remove extraneous spaces ...


To generate a diff of this commit:



cvs diff -r5.88 -r5.89 krb5/src/lib/krb5/ccache/ChangeLog
From: jaltman@mit.edu
Subject: CVS Commit
* when initiating an enumeration of the ccache contents perform
a fetch of the TGT. This will trigger an update request by
the MS LSA on Windows 2000 and XP which is perfectly willing
to allow TGTs to expire.


To generate a diff of this commit:



cvs diff -r5.89 -r5.90 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r5.1 -r5.2 krb5/src/lib/krb5/ccache/cc_mslsa.c
From: jaltman@mit.edu
Subject: CVS Commit
* cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT
has expired. This will force the LSA to get a new TGT instead of
returning the expired version.


To generate a diff of this commit:



cvs diff -r5.90 -r5.91 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r5.2 -r5.3 krb5/src/lib/krb5/ccache/cc_mslsa.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.119.2.8 -r1.119.2.9 krb5/src/lib/ChangeLog
cvs diff -r1.77 -r1.77.2.1 krb5/src/lib/Makefile.in
cvs diff -r5.82.2.2 -r5.82.2.3 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r1.51.2.1 -r1.51.2.2 krb5/src/lib/krb5/ccache/Makefile.in
cvs diff -r5.20.2.1 -r5.20.2.2 krb5/src/lib/krb5/ccache/ccbase.c
cvs diff -r5.91.2.3 -r5.91.2.4
krb5/src/lib/krb5/error_tables/ChangeLog
cvs diff -r5.72.2.1 -r5.72.2.2
krb5/src/lib/krb5/error_tables/krb5_err.et
cvs diff -r1.3.2.3 -r1.3.2.4 krb5/src/windows/ms2mit/ChangeLog
cvs diff -r1.3 -r1.3.2.1 krb5/src/windows/ms2mit/Makefile.in
cvs diff -r1.2.2.3 -r1.2.2.4 krb5/src/windows/ms2mit/ms2mit.c
cvs diff -r0 -r5.3.2.1 krb5/src/lib/krb5/ccache/cc_mslsa.c
From: jaltman@mit.edu
Subject: CVS Commit
Download (untitled) / with headers
text/plain 1.5KiB
* cc_retr.c: Extract the test to determine if a credential matches
a requested credential according to the specified fields into
a private function: krb5int_cc_creds_match_request()

* cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to
perform a MS Kerberos LSA ticket request if there is no matching
credential in the cache. The MS Kerberos LSA places the following
restriction on what tickets it will place into the LSA cache:
tickets obtained by an application request for a specific
set of kerberos flags or enctype will not be cached.
Therefore, we first make a request with no flags or enctype in
the hope that we will be lucky and get the right ones anyway.
If not, we make the application's request and return that ticket
if it matches the other criteria.

Implemented a similar technique for krb5_lcc_store(). Since we
can not write to the cache, when a store request is made we
instead perform a ticket request through the lsa for a matching
credential. If we receive one, we return success. Otherwise,
we return the KRB5_CC_READONLY error.

With these changes I am now able to operate entirely with the MSLSA
ccache as the default cache provided the MS LSA credentials are
for the principal I wish to use. Obviously, one cannot change
principals while the MSLSA ccache is the default.


To generate a diff of this commit:



cvs diff -r5.91 -r5.92 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r5.3 -r5.4 krb5/src/lib/krb5/ccache/cc_mslsa.c
cvs diff -r5.4 -r5.5 krb5/src/lib/krb5/ccache/cc_retr.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.82.2.3 -r5.82.2.4 krb5/src/lib/krb5/ccache/ChangeLog
cvs diff -r5.3.2.1 -r5.3.2.2 krb5/src/lib/krb5/ccache/cc_mslsa.c
cvs diff -r5.4 -r5.4.2.1 krb5/src/lib/krb5/ccache/cc_retr.c
From: tlyu@mit.edu
Subject: CVS Commit
pull up cc_mslsa.c:5.5 from trunk; original commit wasn't logged.


To generate a diff of this commit:



cvs diff -r5.3.2.3 -r5.3.2.4 krb5/src/lib/krb5/ccache/cc_mslsa.c