Re: Proxy credentials usage from my root daemon.

[Quinn "The Eskimo!"]

On 20 Sep 2016, at 09:05, Quinn The Eskimo!  wrote:

> If they use NSURL{Session,Connection} then the proxy ‘heavy lifting’ is done 
> by another daemon, `networkd`, that contains a bunch of smarts.

I had a short talk with some folks from R&D Engineering about this and it’s 
seems that my description was /way/ off base )-:  Things have changed 
substantially since I last looked at this in depth (for example, our 
just-released OSes no longer include `networkd`) and it’s likely that my 
understanding about how it worked on older OSes is flawed.  Apologies for the 
bad info.

If you want to dig into this further I recommend that you open a DTS tech 
support incident; that’ll give me a chance to research it properly.



Share and Enjoy
--
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware



 ___
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list  (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Proxy credentials usage from my root daemon.

[Quinn "The Eskimo!"]

On 20 Sep 2016, at 07:45, Motti Shneor  wrote:

> 1. How do other system daemons connect to network web servers silently, using 
> authenticated proxy settings?

If they use NSURL{Session,Connection} then the proxy ‘heavy lifting’ is done by 
another daemon, `networkd`, that contains a bunch of smarts.

> Also, what keychain they use? not the System keychain?

Credentials like this are usually stored in the System keychain, although 
that’s clearly not the case here.  Beyond that, I haven’t looked at how proxies 
work at this level in a while.

> and when I set authentication parameters for, say, the admin user - how do 
> they read it? via some kind of impersonation?

That won’t work because, when a user logs out, their keychain is locked and no 
one, not even root, can unlock it.

This is in stark contrast to the System keychain, which can be unlocked by any 
root process.

> 2. How do preinstalled Safari, Mail, Photos, and other apps  connect silently 
> to the web, and avoid triggering the key-chain access permission dialog?

These apps use NSURLSession and, as such, the proxy work goes via `networkd`.

> 3. All proxy settings seem to be system-wide (actually per 
> network-interface). Why do the credentials reside in the active user’s Login 
> keychain, instead of the “System” keychain? 

It’s hard to answer “why” questions.

> Is there at all a way (except for manually editing the keychains) to set-up 
> proxies for ALL users, including credentials?
> 
> 4. Could I, at the time of installation of my product, ask once for this 
> access, and have this “trust” saved for my installed daemon? That will be 
> acceptable, as IT installs our [tool] on all users machinesl, and have rights 
> for this. If this is possible - where and how could I do it?

If you’re deploying to managed environments then you need to look at 
configuration profiles.

> If the wonderful code within NSURLSession and CFNetwork that negotiates 
> proxies would be exposed via proper APIS - that would be a real blessing.

You should file an enhancement request that describes what you’d like to see 
here.



Please post your bug number, just for the record.

Share and Enjoy
--
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware



 ___
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list  (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Proxy credentials usage from my root daemon.

[Motti Shneor]

Hello everyone. I already posted this question in the cocoa-dev, but was 
directed here…

We write a system-level daemon that runs as root for security monitoring,  
maintained by launched.

We use C++ boost asyncio for cross-platform networking (Win/Linux/OS-X). Hence, 
on OS-X, can’t use higher-level APIs (such as NSURLSession and friends. Also, 
we use proprietary binary protocol to our server, but in certain client site 
deployments, we need to pass it through HTTP Proxy. We use the “HTTP Connect” 
command to create a secure tunnel through the proxy.  This works fine when we 
provide proxy configuration of our own.

Now I’m trying to integrate with the OS-X system-configuration proxy settings. 
Found the great (if little old) CFProxySupportTool code-sample, read lots of 
documentation, and was able to neatly read and support HTTP, HTTPS, 
Auto-Configured and PAC based settings. 

This breaks when Proxy is authenticated, i.e. you must handshake using username 
and password with the proxy.

The credential keys (username and password) received from 
CFNetworkCopyProxiesForURL()are normally empty, as they are stored in OS-X’s 
secure storage - the KeyChain. 

I wrote a simple tool to read the credentials using KeyChain APIs, and found 
the following:
1. The credentials are stored in the current user’s login keychain. (the user 
who set the credentials in the system-preferences network panel).
2. Calling key-chain APIs in test tool triggers a dialog, asking from the user 
permission to allow it access to the key-chain. Expected for an App, not so 
much for a system-level daemon.
3. When the tool is run as root, it finds nothing - because it doesn’t reach 
the user’s Login keychain.

My questions:

1. How do other system daemons connect to network web servers silently, using 
authenticated proxy settings? I never got any dialog for them, asking 
permission to read the keychain… Also, what keychain they use? not the System 
keychain? and when I set authentication parameters for, say, the admin user - 
how do they read it? via some kind of impersonation?

2. How do preinstalled Safari, Mail, Photos, and other apps  connect silently 
to the web, and avoid triggering the key-chain access permission dialog?  They 
clearly use proxy settings (including credentials) to go to the internet, and 
run under the current user. If such behavior is acceptable -  how is it done? 

3. All proxy settings seem to be system-wide (actually per network-interface). 
Why do the credentials reside in the active user’s Login keychain, instead of 
the “System” keychain? Is there at all a way (except for manually editing the 
keychains) to set-up proxies for ALL users, including credentials?

4. Could I, at the time of installation of my product, ask once for this 
access, and have this “trust” saved for my installed daemon? That will be 
acceptable, as IT installs our too on all users machinesl, and have rights for 
this. If this is possible - where and how could I do it?

These are lots of questions, but any hint, any direction to docs or sample 
code, would be greatly appreciated. I’m spending weeks on this already.

Last… If the wonderful code within NSURLSession and CFNetwork that negotiates 
proxies would be exposed via proper APIS - that would be a real blessing. So 
many developers (especially in the enterprise arena) need to time and again 
reimplement this - and do it in ways much inferior and insecure to the system 
implementation.

Motti Shneor
---

But they are useless ---
 they can only provide answers! 

(Pablo Picasso 1881-1973 about Computers).






 ___
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list  (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com