On Tue, Oct 25, 2016 at 3:00 PM, Dennis Gilmore <dennis(a)ausil.us> wrote:
On martes, 25 de octubre de 2016 2:42:15 PM CDT Ken Dreyer wrote:
> Hi Amanda,
>
> I'm curious about this change: "Kerberos support in koji, fedpkg, OSBS
"
>
> Is
koji.fedoraproject.org is going to eventually stop supporting TLS
> authentication, and we'll have a Fedora-project-wide Kerberos
> infrastructure instead?
there will be kerberos auth for koji and lookaise cache, if it will be project
wide or not I am not sure that is decided yet.
Thanks Dennis.
I'm curious about this because most organizations do not expose their
KDCs directly to the internet. As I understand it, it's possible for a
passive attacker to sniff the TGT exchange and brute-force a password,
whereas this attack scenario is not possible with Koji's current HTTPS
client cert authentication.
- Ken