Less Brittle Kerberos
Make kerberos in Fedora simpler to use by removing some of the brittleness that are common failure points. In particular we remove the need for kerberos clients to sync their clocks, and remove the need to have reverse DNS records carefully setup for services.
- Name: Stef Walter
- Email: firstname.lastname@example.org
- Targeted release: Fedora 19
- Last updated: 2013-03-11
- Percentage of completion: 90%
- Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=949853
MIT kerberos 1.11 now contains work so that clients do not have to sync their system clocks with that of the KDC. A time offset is discovered during preauth and stored along with the local credentials. This removes a common point of failure when using kerberos.
Kerberos clients can optionally verify reverse DNS records for services that they connect to as a way of trying to identify which realm they belong to. However in many cases these do not exist. Kerberos should fall back to it's default behavior in that case. Failure to do this is a common point of failure when using kerberos.
Further enhancements will be included in kerberos 1.11:
- http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11)
Benefit to Fedora
Less pain for users using kerberos services. Administrators will have less work-arounds and gotchas to manage when deploying a kerberos to a network.
This involves updating the krb5 package to 1.11, and perhaps including one or two patches to make the name resolution behavior match that in the libc resolver.
How To Test
This will be more fully fleshed out:
- Use kinit to authenticate against a realm.
- Change the local clock to several days ahead, and kinit again. It should work.
- Use GSSAPI to log into a service which does not have a reverse DNS record, even though you do not have an 'rdns = false' line in your /etc/krb5.conf.
This removes pain from the user experience, and simplifies use of Fedora as a client on networks with kerberos authentication.
Since it is likely that krb5 1.11 will be included in Fedora 19 for other features, in the case of a big problem, we would work to back out these specific changes/patches.
Documentation should be forthcoming.
- It is now possible to authenticate using kerberos regardless of the local system time being in sync with that of the kerberos server.
- Various kerberos bugs have been fixed in order to make a more seamless kerberos experience.