Skip to content

Latest commit

 

History

History
55 lines (46 loc) · 2.64 KB

20220322-minutes.md

File metadata and controls

55 lines (46 loc) · 2.64 KB

Authentication Working Group Minutes

Tuesday, 2022/03/22

10:00 am ET

Attendees:

Terrell Russell, Alan King, Kory Draughn, Dave Fellinger, Claudio Cacciari (SURF), Harry Kodden (SURF), Stefan Wolfsheimer (SURF), Paul Borgermans (KU Leuven), John Constable (Sanger), Mike Conway (NIEHS)

Minutes

SUMMARY:

DISCUSSION

  • Alan Update
    • Legacy PAM plugin ported to use new plugin framework
      • Perhaps start calling it 'pam_password'
      • Functions as a standalone plugin instead of having a special flow via iinit
    • Attempted port of SURF's "interactive PAM" auth plugin to new framework
  • Next Steps
    • JSON token on client side - to hold information coming from the PAM stack
    • Most complicated part was/is to implement the callback function in the flow when coming from the PAM stack, as part of the handshake conversation(?)
    • Hold diagrams alongside the code - figure out if they are consistent/true
    • Demonstrate example session from original presentation, to confirm flow is still consistent
    • Updated diagram, similar to current interactive series, but box-within-a-box
  • Proposed
    • Small hackathon - to be able to poke at the PAM backend, via python (no compiling)
    • auth_check_main.cpp - as a debugging program, good place to start too
    • Would not use the python backend for production, but good for testing/prototyping
      • Any kind of conversation, flexible
  • Question (Stefan)
    • Consider adding threadpool, to control the number of active sessions with PAM
  • Claudio
    • iinit currently creates .irodsA (which requires iexit to remove)
    • Need to think about removing the cookie/JSON file
    • Current code, if JSON is not present, then challenge again to recreate
      • No explicit logout in the code… yet
    • Question, should iexit also remove this JSON file?
      • Perhaps just another plugin operation (so for native, remove .irodsA file, for PAM, remove this JSON)
    • Similar flow for when the server invalidates/revokes a good token
      • And again for renewing/refreshing
  • Other iRODS client libraries would need to learn this flow as well
    • Python, Go, Jargon, etc. But also the clients that use them
      • Interaction with the user
    • b/c no longer just challenge/password, need to copy/paste any tokens, etc.
    • Only the server has to talk to the PAM stack itself
  • Stefan will find/share the JSON cookie patch with Alan
  • Next Meeting
    • April 2022