Proposed new blocking criterion for Fedora Server: GSSAPI SSO via SSH

[Mike Ruckman]

On Mon, Oct 05, 2015 at 03:05:42PM -0400, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Currently, we have a number of blocking criterion in Fedora Server
> around domain membership that the machine must be able to join a
> domain and that a user must be able to log into the machine using
> standard login mechanisms (console, GDM, etc.).
> 
> What we are lacking is a criterion specifying single-sign-on
> functionality, which is a key part of the domain experience. I'd like
> to propose that the following functionality be added as a Beta
> criterion from here forth:
> 
> == Server Product Requirements ==
> 
> === Remote Authentication ===
> * A user who signs in locally or via SSH to a Fedora Server joined to
> a FreeIPA or Active Directory domain using a supported domain-joining
> mechanism[1] must be capable of connecting via SSH to any other Fedora
> Server of the same version to which they have appropriate access
> privileges without being required to re-enter their password.[2]
> (Note: this assumes an "online" login; if the user logs in while
> disconnected from the authentication server, they may not be able to
> use SSO features without manual intervention.)
> 
> * Single-sign-on capabilities must be available without any additional
> configuration by the user except the initial join to the domain.
> 
> 
> 
> [1] This means realmd in the current implementation, which is the
> mechanism used under the hood by Cockpit. I'd recommend leaving out
> more manual methods like ipa-client-install, adcli and 'net ads'.
> 
> [2] Under the hood, this means that the authentication negotiation
> should happen via GSSAPI.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iEYEARECAAYFAlYSygMACgkQeiVVYja6o6NUMwCgkNjoXxlGB6cyCZC3bkVJ1pNX
> +K4AoJn6Yg24djVWofsN5qr9AhGoBdDn
> =vY35

+1

That seems to be clear and make sense to me.

-- 
// Mike 
--
Fedora QA
freenode: roshi
http://roshi.fedorapeople.org