Proposed new blocking criterion for Fedora Server: GSSAPI SSO via SSH

[Stephen Gallagher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently, we have a number of blocking criterion in Fedora Server
around domain membership that the machine must be able to join a
domain and that a user must be able to log into the machine using
standard login mechanisms (console, GDM, etc.).

What we are lacking is a criterion specifying single-sign-on
functionality, which is a key part of the domain experience. I'd like
to propose that the following functionality be added as a Beta
criterion from here forth:

== Server Product Requirements ==

=== Remote Authentication ===
* A user who signs in locally or via SSH to a Fedora Server joined to
a FreeIPA or Active Directory domain using a supported domain-joining
mechanism[1] must be capable of connecting via SSH to any other Fedora
Server of the same version to which they have appropriate access
privileges without being required to re-enter their password.[2]
(Note: this assumes an "online" login; if the user logs in while
disconnected from the authentication server, they may not be able to
use SSO features without manual intervention.)

* Single-sign-on capabilities must be available without any additional
configuration by the user except the initial join to the domain.



[1] This means realmd in the current implementation, which is the
mechanism used under the hood by Cockpit. I'd recommend leaving out
more manual methods like ipa-client-install, adcli and 'net ads'.

[2] Under the hood, this means that the authentication negotiation
should happen via GSSAPI.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlYSygMACgkQeiVVYja6o6NUMwCgkNjoXxlGB6cyCZC3bkVJ1pNX
+K4AoJn6Yg24djVWofsN5qr9AhGoBdDn
=vY35
-----END PGP SIGNATURE-----