This case seems like a good thing, but I'm not an expert enough on
Kerberos to know if it meets all the needs that folks are going to
want. I'd like to hear, if possible, from other folks more intimate
with Kerberos before giving this a +1.
Also, your stability levels need to be modernized. We don't use
Evolving and Unstable anymore.. Perhaps you mean Uncommitted and Volatile?
- Garrett
On 5/26/2010 9:45 AM, Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
DTrace Kerberos Protocol Provider
1.2. Name of Document Author/Supplier:
Author: Mark Phalan
1.3 Date of This Document:
26 May, 2010
4. Technical Description
Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
DTrace Kerberos protocol provider
1.2. Name of Document Author/Supplier:
Author: Mark Phalan
1.3 Date of This Document:
24 May, 2010
4. Technical Description
A. INTRODUCTION
This case falls under the Umbrella case for Kerberos Diagnostic
Enhancements (PSARC/2010/135).
A new DTrace USDT provider for Kerberos is added which provides probes
for Kerberos messages (Protocol Data Unit). The probes are modeled after
the Kerberos message types described in RFC4120. The probes are
available to consumers of libkrb5/mech_krb5 including those applications
which use mech_krb5 through libgss. The probes are split between message
creation/consumption and sending/receiving. Depending on how an
application/library uses Kerberos, the Kerberos library may send/receive
the message or leave the message transport up to the
application/library.
Much of the information exposed by the Kerberos probes can
already be observed with wireshark(1) however there are some important
differences:
- Access to encrypted information.
The probes are positioned so that information is exposed
before encryption when making a message and after decryption
when reading a message (if decryption fails the only the
clear-text parts of the message may be available).
- Better observability.
As the Kerberos probes provide observability at the level of
message generation/consumption even if that message is wrapped
up in another protocol it can easily be observed. e.g. Observing
KRB_AP_REQ/KRB_AP_REP messages as sent by SunSSH.
Wireshark can only observe network events, Kerberos probes can
be used even if nothing is sent across the network.
This case seeks Patch binding although there is no plan to backport to
S10 at this time.
CR:
6927270 kerberos should provide a set of dtrace probes
B. DESCRIPTION
Probes and their arguments
---
Probes for KRB_AP_REP
kerberos$pid:::krb_ap_rep-make
kerberos$pid:::krb_ap_rep-read
args[0] krbinfo_t *
args[1] kaprepinfo_t *
Probes for KRB_AP_REQ
kerberos$pid:::krb_ap_req-make
kerberos$pid:::krb_ap_req-read
args[0] krbinfo_t *
args[1] kapreqinfo_t *
args[2] kticketinfo_t *
args[3] kauthenticatorinfo_t *
Probes for KRB_KDC_REP
kerberos$pid:::krb_kdc_rep-make
kerberos$pid:::krb_kdc_rep-read
args[0] krbinfo_t *
args[1] kdcrepinfo_t *
args[2] kticketinfo_t *
Probes for KRB_KDC_REQ
kerberos$pid:::krb_kdc_req-make
kerberos$pid:::krb_kdc_req-read
args[0] krbinfo_t *
args[1] kdcreqinfo_t *
Probes for KRB_CRED
kerberos$pid:::krb_cred-make
kerberos$pid:::krb_cred-read
args[0] krbinfo_t *
args[1] kcredinfo_t *
Probes for KRB_ERROR
kerberos$pid:::krb_error-make
kerberos$pid:::krb_error-read
args[0] krbinfo_t *
args[1] kerrorinfo_t *
Probes for KRB_PRIV
kerberos$pid:::krb_priv-make
kerberos$pid:::krb_priv-read
args[0] krbinfo_t *
args[1] kprivinfo_t *
Probes for KRB_SAFE
kerberos$pid:::krb_safe-make
kerberos$pid:::krb_safe-read
args[0] krbinfo_t *
args[1] ksafeinfo_t *
Probes for sending and receiving messages
kerberos$pid:::krb_message-recv
kerberos$pid:::krb_message-send
args[0] krbinfo_t *
args[1] kconninfo_t *
Argument structures
---
In certain situations some argument values may be 0, or empty. The
structures were designed to be generally consistent with RFC4120.
/* Generic Kerberos message information */
typedef struct krbinfo {
uint8_t krb_version; /* protocol version number (5) */
string krb_message_type; /* Message type (AS_REQ(10), ...) */
uint64_t krb_message_id; /* message identifier */
uint32_t krb_message_length; /* message length */
uintptr_t krb_message; /* raw ASN.1 encoded message */
} krbinfo_t;
Note on krb_message_id:
There is no concept of a message identifier in the Kerberos
protocol. The identifier is specific to the Kerberos provider
and meant only to link messages between the make/read and
send/recv probes.
/* Connection information */
typedef struct kconninfo {
string kconn_remote; /* remote host address */
string kconn_local; /* local host address */
uint16_t kconn_localport; /* local port */
uint16_t kconn_remoteport; /* remote port */
string kconn_protocol; /* protocol (ipv4, ipv6) */
string kconn_type; /* transport type (udp, tcp) */
} kconninfo_t;
/* Authenticator information */
typedef struct kauthenticatorinfo {
string kauth_client; /* client principal identifier */
string kauth_cksum_type; /* type of checksum (des-cbc, ...) */
uint32_t kauth_cksum_length; /* length of checksum */
uintptr_t kauth_cksum_value; /* raw checksum data */
uint32_t kauth_cusec; /* client time, microseconds */
uint32_t kauth_ctime; /* client time in seconds */
string kauth_subkey_type; /* sub-key type (des3-cbc-sha1, ...) */
uint32_t kauth_subkey_length; /* sub-key length */
uintptr_t kauth_subkey_value; /* sub-key data */
uint32_t kauth_seq_number; /* sequence number */
string kauth_authorization_data; /* top-level authorization types
(AD-IF-RELEVANT, ... ) */
} kauthenticatorinfo_t;
typedef struct kticketinfo_t {
string kticket_server; /* service principal identifier */
uint32_t kticket_enc_part_kvno; /* key version number */
string kticket_enc_part_etype; /* enc type of encrypted ticket */
string kticket_enc_flags; /* ticket flags (forwardable, ...) */
string kticket_enc_key_type; /* key type (des3-cbc-sha1, ...) */
uint32_t kticket_enc_key_length; /* key length */
uintptr_t kticket_enc_key_value; /* key data */
string kticket_enc_client; /* client principal identifier */
string kticket_enc_transited; /* list of transited Kerberos realms */
string kticket_enc_transited_type; /* encoding type */
uint32_t kticket_enc_authtime; /* time of initial authentication */
uint32_t kticket_enc_starttime; /* ticket start time in seconds */
uint32_t kticket_enc_endtime; /* ticket end time in seconds */
uint32_t kticket_enc_renew_till; /* ticket renewal time in seconds */
string kticket_enc_addresses; /* addresses associated with ticket */
string kticket_enc_authorization_data; /* list of top-level auth types */
} kticketinfo_t;
typedef struct kdcreqinfo {
string kdcreq_padata_types; /* list of pre-auth types */
string kdcreq_kdc_options; /* requested ticket flags */
string kdcreq_client; /* client principal identifier */
string kdcreq_server; /* server principal identifier */
uint32_t kdcreq_from; /* requested start time in seconds */
uint32_t kdcreq_till; /* requested end time in seconds */
uint32_t kdcreq_rtime; /* requested renewal time in seconds */
uint32_t kdcreq_nonce; /* nonce for replay detection */
string kdcreq_etype; /* preferred encryption types */
string kdcreq_addresses; /* list of requested ticket addresses
*/
string kdcreq_authorization_data; /* list of top-level auth types */
uint32_t kdcreq_num_additional_tickets; /* number of additional tickets */
} kdcreqinfo_t;
typedef struct kdcrepinfo {
string kdcrep_padata_types; /* list of pre-auth types */
string kdcrep_client; /* client principal identifier */
uint32_t kdcrep_enc_part_kvno; /* key version number */
string kdcrep_enc_part_etype; /* enc type of encrypted KDC reply */
string kdcrep_enc_key_type; /* key type (des3-cbc-sha1, ...) */
uint32_t kdcrep_enc_key_length; /* key length */
uintptr_t kdcrep_enc_key_value; /* key data */
string kdcrep_enc_last_req; /* times of last request of principal
*/
uint32_t kdcrep_enc_nonce; /* nonce for replay detection */
uint32_t kdcrep_enc_key_expiration; /* expiration time of client's key */
string kdcrep_enc_flags; /* ticket flags */
uint32_t kdcrep_enc_authtime; /* time of authentication of ticket */
uint32_t kdcrep_enc_starttime; /* ticket start time in seconds */
uint32_t kdcrep_enc_endtime; /* ticket end time in seconds */
uint32_t kdcrep_enc_renew_till; /* ticket renewal time in seconds*/
string kdcrep_enc_server; /* server principal identifier */
string kdcrep_enc_caddr; /* zero or more client addresses */
} kdcrepinfo_t;
typedef struct kapreqinfo {
string kapreq_ap_options; /* options (use-session-key,... ) */
uint32_t kapreq_authenticator_kvno; /* key version number */
string kapreq_authenticator_etype; /* enc type of authenticator */
} kapreqinfo_t;
typedef struct kaprepinfo {
uint32_t kaprep_enc_part_kvno; /* key version number */
string kaprep_enc_part_etype; /* enc type of encrypted AP reply */
uint32_t kaprep_enc_ctime; /* client time in seconds */
uint32_t kaprep_enc_cusec; /* client time, microseconds portion */
string kaprep_enc_subkey_type; /* sub-key type */
uint32_t kaprep_enc_subkey_length; /* sub-key length */
uintptr_t kaprep_enc_subkey_value; /* sub-key data */
uint32_t kaprep_enc_seq_number; /* sequence number */
} kaprepinfo_t;
typedef struct kerrorinfo {
uint32_t kerror_ctime; /* client time in seconds */
uint32_t kerror_cusec; /* client time, microseconds */
uint32_t kerror_stime; /* server time in seconds */
uint32_t kerror_susec; /* server time, microseconds */
string kerror_error_code; /* error code (KRB_AP_ERR_SKEW, ...) */
string kerror_client; /* client principal identifier */
string kerror_server; /* server principal identifier */
string kerror_e_text; /* additional error text */
string kerror_e_data; /* additional error data */
} kerrorinfo_t;
typedef struct ksafeinfo {
uintptr_t ksafe_user_data; /* raw application specific data */
uint32_t ksafe_timestamp; /* time of sender in seconds */
uint32_t ksafe_usec; /* time of sender, microseconds */
uint32_t ksafe_seq_number; /* sequence number */
string ksafe_s_address; /* sender's address */
string ksafe_r_address; /* recipient's address */
string ksafe_cksum_type; /* checksum type (des-cbc, ...) */
uint32_t ksafe_cksum_length; /* length of checksum */
uintptr_t ksafe_cksum_value; /* raw checksum data */
} ksafeinfo_t;
typedef struct kprivinfo {
uint32_t kpriv_enc_part_kvno; /* key version number */
string kpriv_enc_part_etype; /* enc type of encrypted message */
uintptr_t kpriv_enc_user_data; /* raw application specific data */
uint32_t kpriv_enc_timestamp; /* time of sender in seconds */
uint32_t kpriv_enc_usec; /* time of sender, microseconds */
uint32_t kpriv_enc_seq_number; /* sequence number */
string kpriv_enc_s_address; /* sender's address */
string kpriv_enc_r_address; /* recipient's address */
} kprivinfo_t;
typedef struct kcredinfo {
uint32_t kcred_enc_part_kvno; /* key version number */
string kcred_enc_part_etype; /* enc type of encrypted message */
uint32_t kcred_tickets; /* number of tickets */
uint32_t kcred_enc_nonce; /* nonce for replay detection */
uint32_t kcred_enc_timestamp; /* time of sender in seconds */
uint32_t kcred_enc_usec; /* time of sender, microseconds */
string kcred_enc_s_address; /* sender's address */
string kcred_enc_r_address; /* recipient's address */
} kcredinfo_t;
C. EXAMPLES
# Dump a Kerberos error message
# dtrace -n 'krb_error-make {
printf("\n{");
printf("\n\tctime = %Y", (uint64_t)(args[1]->kerror_ctime * 1000000000));
printf("\n\tcusec = %d", args[1]->kerror_cusec);
printf("\n\tstime = %Y", (uint64_t)(args[1]->kerror_stime * 1000000000));
printf("\n\tsusec = %d", args[1]->kerror_susec);
printf("\n\terror_code = %s", args[1]->kerror_error_code);
printf("\n\tclient = %s", args[1]->kerror_client);
printf("\n\tserver = %s", args[1]->kerror_server);
printf("\n\te_text = %s", args[1]->kerror_e_text);
printf("\n\te_data = %s", "");
printf("\n}");
}'
dtrace: description 'krb_error-make ' matched 1 probe
CPU ID FUNCTION:NAME
0 78307 krb5_mk_error:krb_error-make
{
ctime = 2010 May 10 12:11:20
cusec = 0
stime = 2010 May 10 12:11:20
susec = 319090
error_code = KDC_ERR_C_PRINCIPAL_UNKNOWN(6)
client = [email protected]
server = krbtgt/[email protected]
e_text = CLIENT_NOT_FOUND
e_data =
}
# Display the service ticket required to access an ssh server
# LD_PRELOAD_32=/usr/lib/gss/mech_krb5.so.1 dtrace -q -n '
kerberos$target:::krb_kdc_req-make {
printf("kdcreq_server: %s",args[1]->kdcreq_server);
}' -c "ssh [email protected]" -o dtrace.out
Last login: Thu Apr 29 15:27:44 2010
Sun Microsystems Inc. SunOS 5.11 snv_137 March 2010
$ ^D
# cat dtrace.out
kdcreq_server: host/[email protected]
# Display KDC address and port when getting an initial TGT when the KDC is
unavailable.
# LD_BIND_NOW=1 dtrace -q -n '
kerberos$target:::krb_message-send {
printf("%s:%d\n",args[1]->kconn_remote, args[1]->kconn_remoteport)
}
' -c "kinit local4"
10.10.10.14:88
10.10.10.14:750
10.10.10.14:88
10.10.10.14:750
10.10.10.14:88
10.10.10.14:750
kinit(v5): Cannot contact any KDC for realm 'D.COM' while getting initial
credentials
D. STABILITY
Element Name stability Data stability Dependency class
Provider Evolving Evolving Common
Module Private Private Unknown
Function Private Private Unknown
Name Evolving Evolving Common
Arguments Unstable Unstable Common
E. DELIVERABLES
USDT probes
---
/usr/lib/gss_mechs/mech_krb5.so.1
Library support
---
/usr/lib/dtrace/krb.d
Example script
---
/usr/demo/dtrace/kerberos.d
F. REFERENCES
http://www.ietf.org/rfc/rfc4120.txt
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
_______________________________________________
opensolaris-arc mailing list
[email protected]
_______________________________________________
opensolaris-arc mailing list
[email protected]
