Line 12: | Line 12: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/19 | Fedora 19 ]] | * Targeted release: [[Releases/19 | Fedora 19 ]] | ||
* Last updated: 2013- | * Last updated: 2013-03-11 | ||
* Percentage of completion: 90% | * Percentage of completion: 90% | ||
Revision as of 20:21, 11 March 2013
Less Brittle Kerberos
Summary
Make kerberos in Fedora simpler to use by removing some of the brittleness that are common failure points. In particular we remove the need for kerberos clients to sync their clocks, and remove the need to have reverse DNS records carefully setup for services.
Owner
- Name: Stef Walter
- Email: stefw@redhat.com
Current status
- Targeted release: Fedora 19
- Last updated: 2013-03-11
- Percentage of completion: 90%
Detailed Description
MIT kerberos 1.11 now contains work so that clients do not have to sync their system clocks with that of the KDC. A time offset is discovered during preauth and stored along with the local credentials. This removes a common point of failure when using kerberos.
Kerberos clients can optionally verify reverse DNS records for services that they connect to as a way of trying to identify which realm they belong to. However in many cases these do not exist. Kerberos should fall back to it's default behavior in that case. Failure to do this is a common point of failure when using kerberos.
Further enhancements will be included in kerberos 1.11:
- http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11)
- http://web.mit.edu/kerberos/krb5-latest/
Benefit to Fedora
Less pain for users using kerberos services. Administrators will have less work-arounds and gotchas to manage when deploying a kerberos to a network.
Scope
This involves updating the krb5 package to 1.11, and perhaps including one or two patches to make the name resolution behavior match that in the libc resolver.
How To Test
This will be more fully fleshed out:
- Use kinit to authenticate against a realm.
- Change the local clock to several days ahead, and kinit again. It should work.
- Use GSSAPI to log into a service which does not have a reverse DNS record, even though you do not have an 'rdns = false' line in your /etc/krb5.conf.
User Experience
This removes pain from the user experience, and simplifies use of Fedora as a client on networks with kerberos authentication.
Dependencies
- krb5
- libc
Contingency Plan
Since it is likely that krb5 1.11 will be included in Fedora 19 for other features, in the case of a big problem, we would work to back out these specific changes/patches.
Documentation
Documentation should be forthcoming.
Release Notes
- It is now possible to authenticate using kerberos regardless of the local system time being in sync with that of the kerberos server.
- Various kerberos bugs have been fixed in order to make a more seamless kerberos experience.