Can't reply on the wiki page, FAS is throwing a 500 server error when I try to log in.

On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <> wrote:
= Features/LessBrittleKerberos =

Feature owner(s): Stef Walter <>

Make kerberos in Fedora simpler to use by removing some of the brittleness
that are common failure points. In particular we remove the need for kerberos
clients to sync their clocks, and remove the need to have reverse DNS records
carefully setup for services.

== Detailed description ==
MIT kerberos 1.11 now contains work so that clients do not have to sync their
system clocks with that of the KDC. A time offset is discovered during preauth
and stored along with the local credentials. This removes a common point of
failure when using kerberos.

One concern, would this time offset be per server on the client, e.g. if people get used to this then a group of servers may all have varyingly wrong times (e.g. server A is 10 minutes fast, server B is 34 minutes slow and server C is only off by 2 seconds). Also mitm attacks again.

Kerberos clients can optionally verify reverse DNS records for services that
they connect to as a way of trying to identify which realm they belong to.
However in many cases these do not exist. Kerberos should fall back to it's
default behavior in that case. Failure to do this is a common point of failure
when using kerberos.

would this for example cache data so that for example if the server has reverse DNS setup, then it stops woring the client warns the user (e.g. indicating a possible man in the middle attack)?

Further enhancements will be included in kerberos 1.11:

* (for 1.11)
devel-announce mailing list
devel mailing list

Kurt Seifried