Next: , Up: Administration Manual


3.1 Introduction to Shisa

The user database part of Shishi is called Shisa. The Shisa library is independent of the core Shishi library. Shisa is responsible for storing the name of your realms, the name of your principals (users), accounting information for the users (i.e., when each account starts to be valid and when it expires), and the cryptographic keys each user has. Some Kerberos internal data can also be stored, such as the key version number, the last dates for when various ticket requests were made, the cryptographic salt, string-to-key parameters and password for each user. Not all information need to be stored. For example, in some situations it is prudent to leave the password field empty, so that somebody who manages to steal the user database will only be able to compromise your system, and not any other systems were your user may have re-used the same password. On the other hand, you may already be storing the password in your customized database, in which case being able to change it via the Shisa interface can be useful.

Shisa is a small (a few thousand lines of C code) standalone library. Shisa does not depend on the Shishi library. Because a user database with passwords may be useful for other applications as well (e.g., GNU SASL), it might be separated into its own project later on. You should keep this in mind, so that you don't consider writing a Shisa backend for your own database as a purely Shishi specific project. You can, for example, choose to use the Shisa interface in your own applications to have a simple interface to your user database. Your experience and feedback is appreciated if you have chosen to explore this.

Note that the Shisa database does not expose everything you may want to know about a user, such as its full human name, telephone number or even the user's login account name or home directory. It only stores what is needed to authenticate a peer claiming to be an entity. Thus it does not make sense to replace your current user database or /etc/passwd with data derived from the Shisa database. Instead, it is intended that you write a Shisa backend that exports some of the information stored in your user database. You may be able to replace some existing functionality, such as the password field in /etc/passwd with a Kerberos PAM module, but there is no requirement for doing so.