Discussion:
Systemd and kernel keyring
(too old to reply)
Dinesh Prasanth Moluguwan Krishnamoorthy
2018-12-06 03:11:30 UTC
Permalink
Hi team,

I'm working on accessing kernel keyring in my application started using
systemd.

The list of steps I'm doing:

1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring

I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
show @u`, I find the entry.

However, when I try to do `keyctl print <keyID>`, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?

I have the sample systemd unit file available in [1].

[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service

Thanks,
Dinesh
Sietse van Zanen
2018-12-06 11:57:10 UTC
Permalink
Hi Dinesh,

Did you do a 'keyctl link @us @s' after logging in?

And could you tell me how you aceive 2. Because according to documentation it is not possible to have systemd-ask-password insert a key into a users keylist:
--keyname=
Configure a kernel keyring key name to use as cache for the password. If set, then the tool will try to push any collected passwords into the
kernel keyring of the root user

-Sietse
________________________________________
From: systemd-devel <systemd-devel-***@lists.freedesktop.org> on behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <***@redhat.com>
Sent: Thursday, December 6, 2018 04:11
To: systemd-***@lists.freedesktop.org
Subject: [systemd-devel] Systemd and kernel keyring

Hi team,

I'm working on accessing kernel keyring in my application started using
systemd.

The list of steps I'm doing:

1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring

I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
show @u`, I find the entry.

However, when I try to do `keyctl print <keyID>`, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?

I have the sample systemd unit file available in [1].

[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service

Thanks,
Dinesh

_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Bruno Vernay
2018-12-06 13:03:15 UTC
Permalink
I wanted to de some kind of tutorial (
https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring)
on the subject, but I don't find a lot of resources (apart from "reference
documentation")

This might be helpful: https://mjg59.dreamwidth.org/37333.html
Post by Sietse van Zanen
Hi Dinesh,
And could you tell me how you aceive 2. Because according to documentation
it is not possible to have systemd-ask-password insert a key into a users
--keyname=
Configure a kernel keyring key name to use as cache for the
password. If set, then the tool will try to push any collected passwords
into the
kernel keyring of the root user
-Sietse
________________________________________
Sent: Thursday, December 6, 2018 04:11
Subject: [systemd-devel] Systemd and kernel keyring
Hi team,
I'm working on accessing kernel keyring in my application started using
systemd.
1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring
I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
However, when I try to do `keyctl print <keyID>`, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?
I have the sample systemd unit file available in [1].
[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
Thanks,
Dinesh
_______________________________________________
systemd-devel mailing list
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
_______________________________________________
systemd-devel mailing list
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
Bruno VERNAY
Continue reading on narkive:
Loading...