Proposed F19 Feature: Less Brittle Kerberos
Jaroslav Reznik
jreznik at redhat.com
Thu Jan 31 11:47:25 UTC 2013
= Features/LessBrittleKerberos =
https://fedoraproject.org/wiki/Features/LessBrittleKerberos
Feature owner(s): Stef Walter <stefw at redhat.com>
Make kerberos in Fedora simpler to use by removing some of the brittleness
that are common failure points. In particular we remove the need for kerberos
clients to sync their clocks, and remove the need to have reverse DNS records
carefully setup for services.
== Detailed description ==
MIT kerberos 1.11 now contains work so that clients do not have to sync their
system clocks with that of the KDC. A time offset is discovered during preauth
and stored along with the local credentials. This removes a common point of
failure when using kerberos.
Kerberos clients can optionally verify reverse DNS records for services that
they connect to as a way of trying to identify which realm they belong to.
However in many cases these do not exist. Kerberos should fall back to it's
default behavior in that case. Failure to do this is a common point of failure
when using kerberos.
Further enhancements will be included in kerberos 1.11:
* http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11)
* http://web.mit.edu/kerberos/krb5-latest/
More information about the devel-announce
mailing list