Linux Kernel Keyring Quota exceeded

SSSD is the System Security Services Daemo and is responsible for managing user, group and login data. We still use UCS libpam-ldapand libnss-ldap,they all require a working network and are therefore not offline-capable, which is mandatory for a notebook.

SSSD has a modular structure and, in addition to user and group data from the LDAP, can also handle Kerbenos keys: With the authentication, you get your Kerberos Ticket Granting Ticket (KRBTGT), which serves as proof of successful authentication. This is how you identify yourself to the Kerberos server if you want to access other services. For each service you get another ticket, which legitimizes you for access.

Of course, these tickets have to be cached somewhere. Traditionally, a file such as was /tmp/krb5cc_$UIDused for this. You have to be careful with these, because as long as the tickets are valid, anyone with access to this file can pretend to be the said user and access the services.

For reasons of security, it is frowned upon to save such data unencrypted ( /etc/*.secretgreetings). There are also situations where other services that also like to run with their own user ID still need to access these keys. A prominent example of this is the Network File System (NFS). This is one of the reasons why Linux has a built-in key ring in which cryptographic material can be stored. keyctlYou can access it with and SSSD can also use it .

The data is safe in the kernel and is not accidentally written to the hard disk by swapping. However, there is a problem: the mechanism could be abused as a DOS attack if there were no quota mechanism that limits the maximum storage space. And that’s exactly what struck, because the Kerberos keyring has become too large over time. Via /proc/sys/kernel/keys/maxbytesis limited to a maximum of 20,000 bytes per user:

# grep $UID /proc/key-users
2260: 28 28/28 /28/200 18733/20000

(The meaning of the values ​​is described in more detail in <man:keyrings(7)>.) When trying to authenticate me, the SSSD got a new ticket and wanted to attach it to my keyring. But that failed because of the quota limitation.

This can be changed globally for all users as follows:

# sysctl -w kernel/keys/maxbytes=64000
kernel.keys.maxbytes = 64000

After that it was possible to register again. In the statistics I could then see that the storage space was not sufficient:

# grep $UID /proc/key-users
2260: 29 29/29 29/200 20127/64000

This adjustment can be made persistent, for example via a file such as /etc/sysctl.d/sssd.conf, where this change is carried out at every start.

Leave a Reply

Your email address will not be published. Required fields are marked *