<div dir="ltr">Can't reply on the wiki page, FAS is throwing a 500 server error when I try to log in.<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <span dir="ltr"><<a href="mailto:jreznik@redhat.com" target="_blank">jreznik@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">= Features/LessBrittleKerberos =<br>
<a href="https://fedoraproject.org/wiki/Features/LessBrittleKerberos" target="_blank">https://fedoraproject.org/wiki/Features/LessBrittleKerberos</a><br>
<br>
Feature owner(s): Stef Walter <<a href="mailto:stefw@redhat.com" target="_blank">stefw@redhat.com</a>><br>
<br>
Make kerberos in Fedora simpler to use by removing some of the brittleness<br>
that are common failure points. In particular we remove the need for kerberos<br>
clients to sync their clocks, and remove the need to have reverse DNS records<br>
carefully setup for services.<br>
<br>
== Detailed description ==<br>
MIT kerberos 1.11 now contains work so that clients do not have to sync their<br>
system clocks with that of the KDC. A time offset is discovered during preauth<br>
and stored along with the local credentials. This removes a common point of<br>
failure when using kerberos.<br></blockquote><div><br></div><div>One concern, would this time offset be per server on the client, e.g. if people get used to this then a group of servers may all have varyingly wrong times (e.g. server A is 10 minutes fast, server B is 34 minutes slow and server C is only off by 2 seconds). Also mitm attacks again.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Kerberos clients can optionally verify reverse DNS records for services that<br>
they connect to as a way of trying to identify which realm they belong to.<br>
However in many cases these do not exist. Kerberos should fall back to it's<br>
default behavior in that case. Failure to do this is a common point of failure<br>
when using kerberos.<br></blockquote><div><br></div><div>would this for example cache data so that for example if the server has reverse DNS setup, then it stops woring the client warns the user (e.g. indicating a possible man in the middle attack)?</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Further enhancements will be included in kerberos 1.11:<br>
<br>
* <a href="http://k5wiki.kerberos.org/wiki/Projects/Responder" target="_blank">http://k5wiki.kerberos.org/wiki/Projects/Responder</a> (for 1.11)<br>
* <a href="http://web.mit.edu/kerberos/krb5-latest/" target="_blank">http://web.mit.edu/kerberos/krb5-latest/</a><br>
_______________________________________________<br>
devel-announce mailing list<br>
<a href="mailto:devel-announce@lists.fedoraproject.org" target="_blank">devel-announce@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel-announce" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel-announce</a><br>
<span><font color="#888888">--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org" target="_blank">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a></font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Kurt Seifried<br>
<a href="mailto:kurt@seifried.org" target="_blank">kurt@seifried.org</a>
</div></div>