Proposed F19 Feature: Less Brittle Kerberos

Jaroslav Reznik jreznik at
Thu Jan 31 11:47:25 UTC 2013

= Features/LessBrittleKerberos =

Feature owner(s): Stef Walter <stefw at>

Make kerberos in Fedora simpler to use by removing some of the brittleness 
that are common failure points. In particular we remove the need for kerberos 
clients to sync their clocks, and remove the need to have reverse DNS records 
carefully setup for services. 

== Detailed description ==
MIT kerberos 1.11 now contains work so that clients do not have to sync their 
system clocks with that of the KDC. A time offset is discovered during preauth 
and stored along with the local credentials. This removes a common point of 
failure when using kerberos.

Kerberos clients can optionally verify reverse DNS records for services that 
they connect to as a way of trying to identify which realm they belong to. 
However in many cases these do not exist. Kerberos should fall back to it's 
default behavior in that case. Failure to do this is a common point of failure 
when using kerberos.

Further enhancements will be included in kerberos 1.11:

* (for 1.11)

More information about the devel-announce mailing list