From Fedora Project Wiki
(Ready for wrangler)
(Add more information about krb5 1.11)
Line 20: Line 20:


Kerberos clients can optionally verify reverse DNS records for services that they connect to as a way of trying to identify which realm they belong to. However in many cases these do not exist. Kerberos should fall back to it's default behavior in that case. Failure to do this is a common point of failure when using kerberos.
Kerberos clients can optionally verify reverse DNS records for services that they connect to as a way of trying to identify which realm they belong to. However in many cases these do not exist. Kerberos should fall back to it's default behavior in that case. Failure to do this is a common point of failure when using kerberos.
Further enhancements will be included in kerberos 1.11:
* http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11)
* http://web.mit.edu/kerberos/krb5-latest/


== Benefit to Fedora ==
== Benefit to Fedora ==

Revision as of 13:14, 29 January 2013

Less Brittle Kerberos

Summary

Make kerberos in Fedora simpler to use by removing some of the brittleness that are common failure points. In particular we remove the need for kerberos clients to sync their clocks, and remove the need to have reverse DNS records carefully setup for services.

Owner

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-01-28
  • Percentage of completion: 80%

Detailed Description

MIT kerberos 1.11 now contains work so that clients do not have to sync their system clocks with that of the KDC. A time offset is discovered during preauth and stored along with the local credentials. This removes a common point of failure when using kerberos.

Kerberos clients can optionally verify reverse DNS records for services that they connect to as a way of trying to identify which realm they belong to. However in many cases these do not exist. Kerberos should fall back to it's default behavior in that case. Failure to do this is a common point of failure when using kerberos.

Further enhancements will be included in kerberos 1.11:

Benefit to Fedora

Less pain for users using kerberos services. Administrators will have less work-arounds and gotchas to manage when deploying a kerberos to a network.

Scope

This involves updating the krb5 package to 1.11, and perhaps including one or two patches to make the name resolution behavior match that in the libc resolver.

How To Test

This will be more fully fleshed out:

  • Use kinit to authenticate against a realm.
  • Change the local clock to several days ahead, and kinit again. It should work.
  • Use GSSAPI to log into a service which does not have a reverse DNS record, even though you do not have an 'rdns = false' line in your /etc/krb5.conf.

User Experience

This removes pain from the user experience, and simplifies use of Fedora as a client on networks with kerberos authentication.

Dependencies

  • krb5
  • libc

Contingency Plan

Since it is likely that krb5 1.11 will be included in Fedora 19 for other features, in the case of a big problem, we would work to back out these specific changes/patches.

Documentation

Documentation should be forthcoming.

Release Notes

  • It is now possible to authenticate using kerberos regardless of the local system time being in sync with that of the kerberos server.
  • Various kerberos bugs have been fixed in order to make a more seamless kerberos experience.

Comments and Discussion