[systemd-devel] Systemd and kernel keyring

Bruno Vernay brunovern.a at gmail.com
Thu Dec 6 13:03:15 UTC 2018


I wanted to de some kind of tutorial (
https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring)
on the subject, but I don't  find a lot of resources (apart from "reference
documentation")

This might be helpful: https://mjg59.dreamwidth.org/37333.html


On Thu, Dec 6, 2018 at 12:57 PM Sietse van Zanen <sietse at wizdom.nu> wrote:

> Hi Dinesh,
>
> Did you do a 'keyctl link @us @s' after logging in?
>
> And could you tell me how you aceive 2. Because according to documentation
> it is not possible to have systemd-ask-password insert a key into a users
> keylist:
>  --keyname=
>            Configure a kernel keyring key name to use as cache for the
> password. If set, then the tool will try to push any collected passwords
> into the
>            kernel keyring of the root user
>
> -Sietse
> ________________________________________
> From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> on
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-devel at lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
>
> Hi team,
>
> I'm working on accessing kernel keyring in my application started using
> systemd.
>
> The list of steps I'm doing:
>
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
> USER
> 2. In the `ExecStartPre`, I'm launching a subprocess that invokes
> `systemd-ask-password` to accept the input and store it in the USER's
> kernel keyring
> 3. In the main program started using `ExecStart`, I'm accessing the
> value stored in the keyring
>
> I'm able to access the values from my main program -- everything works
> as expected! When I try to login as that specific user and do a `keyctl
> show @u`, I find the entry.
>
> However, when I try to do `keyctl print <keyID>`, it throws "Permission
> Denied" error. IIUC, this protects the keys in the keyring from
> accessing outside the systemd service. Is it the desired behaviour?
>
> I have the sample systemd unit file available in [1].
>
> [1]
>
> https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
>
> Thanks,
> Dinesh
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>


-- 
Bruno VERNAY
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20181206/74517006/attachment.html>


More information about the systemd-devel mailing list