Proposed F19 Feature: Less Brittle Kerberos

Kurt Seifried kurt at seifried.org
Thu Jan 31 21:35:14 UTC 2013 

Can't reply on the wiki page, FAS is throwing a 500 server error when I try
to log in.


On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jreznik at redhat.com> wrote:

> = Features/LessBrittleKerberos =
> https://fedoraproject.org/wiki/Features/LessBrittleKerberos
>
> Feature owner(s): Stef Walter <stefw at redhat.com>
>
> Make kerberos in Fedora simpler to use by removing some of the brittleness
> that are common failure points. In particular we remove the need for
> kerberos
> clients to sync their clocks, and remove the need to have reverse DNS
> records
> carefully setup for services.
>
> == Detailed description ==
> MIT kerberos 1.11 now contains work so that clients do not have to sync
> their
> system clocks with that of the KDC. A time offset is discovered during
> preauth
> and stored along with the local credentials. This removes a common point of
> failure when using kerberos.
>

One concern, would this time offset be per server on the client, e.g. if
people get used to this then a group of servers may all have varyingly
wrong times (e.g. server A is 10 minutes fast, server B is 34 minutes slow
and server C is only off by 2 seconds). Also mitm attacks again.


>
> Kerberos clients can optionally verify reverse DNS records for services
> that
> they connect to as a way of trying to identify which realm they belong to.
> However in many cases these do not exist. Kerberos should fall back to it's
> default behavior in that case. Failure to do this is a common point of
> failure
> when using kerberos.
>

would this for example cache data so that for example if the server has
reverse DNS setup, then it stops woring the client warns the user (e.g.
indicating a possible man in the middle attack)?


>
> Further enhancements will be included in kerberos 1.11:
>
> * http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11)
> * http://web.mit.edu/kerberos/krb5-latest/
> _______________________________________________
> devel-announce mailing list
> devel-announce at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel-announce
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel




-- 
Kurt Seifried
kurt at seifried.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130131/69d88428/attachment.html>

More information about the devel mailing list