Difference between revisions of "Projects/Documentation Tasks"

Latest revision as of 09:28, 5 June 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.

Purpose

To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.

Application development


task	Proposed Author	Target Date	Reviewer Comments
Designing a new protocol, or extending existing one, to use GSS-API
Choosing security API
GSS-API vs SASL vs KRB5
A guide to the similarities and differences between Heimdal and MIT Kerberos API
GSS-API
A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues
How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is
How to write mechanism-independent GSS-API code
A guide to GSS-API naming as compared to Kerberos principal naming
Using IAKERB
Delegating credentials	GH	2012-10-01
Available extensions
Thread safety	KR
Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection
Krb5 library guide
Kerberos prompter behavior
An introduction to ticket caches and keytabs and their corresponding APIs	KR		under review
An advanced guide to the pre-auth mechanisms, FAST
An advanced guide to the principal manipulation and parsing	TY	TBD
Thread safety	KR
Password change including the automatic internal support for password change on expired passwords if a prompter is provided
krb5_appdefault_* functions and their alternatives


Completed task	Author	Date	Reviewer
Choosing security API
Acceptor naming - How to get servers to use any key in a keytab	GH	2012-03-01
Anonymous credentials	GH	2012-10-01
Developing plugins	GH	2012-03-08
A guide to developing plugins
Overview of existing pluggable interfaces			ZT reviewed profile plugin
A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential	TY	2012-04-27
MIT Kerberos features : quick facts	ZT	ongoing
How to build Kerberos from source	ZT

Administration


task	Proposed Author	Target Date	Reviewer Comments
Introduction to Kerberos system
Man page	TH	2012-08-15	in progress
General overview	TH	2012-08-15
Intro for admins	TH	2012-08-15
Technical overview	TH	2012-07-15	in progress
Setting a new realm
Choosing backend: LDAP vs DB2
DNS configuration and SRV records - how they are used, in what order	KR
Choosing encryption types for principals	TY	2012-12-14	under review
Upgrading a Kerberos infrastructure (order, backward compatibility)
Integration Kerberos with Login System
Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment
Validating Kerberos tickets
Clear text password over HTTPS
Configuring with pam_krb5 module
Storing/locating keytab
Cross-realm
cross-realm interaction with AD
Transitive trust
Referrals
Performance
Performance tuning tips
Performance tradeoffs
kadmin interface
Keying workstation/ host key setting
Using Smartcard with PKINIT
Kerberized ssh
Configuration
Cross-realm and ssh
A guide to principal naming basics and structure	ZT	2013-03-01
Troubleshooting
Troubleshooting errors	ZT	ongoing
Realm renaming
Forgot Kerberos Master Key	GH
Basic concepts (passwd policy, ticket )
Approaches to authorization -- centralized vs distributed, etc.


Completed task	Author	Date	Reviewer Comments
Replication	ZT
Reverse DNS	TY	2012-12-12
Selecting and configuring plugins	GH	2012-03-15
Anonymity support	GH	2012-10-01
Trace logging	GH	2012-03-22
Using LDAP server for Kerberos backend	ZT		Ubuntu 10.4 (lucid)
Acceptable date and time formats	ZT	2012-07-15
kadm5.acl man page	ZT	2012-08-15

General


task	Proposed Author	Target Date	Reviewer	Reviewer Comments
Why Kerberos system is suitable for the internet, not only for the enterprise	TY
Impact RC4 vulnerabilities on Kerberos	TY

API documentation

Most commonly used API functions (in alphabetical order):

Tier 1 - Highest priority
Completed API	Author	Reviewer	Reviewer Comments
krb5_build_principal [1]	ZT	GH
krb5_build_principal_alloc_va [2]	ZT	GH
krb5_build_principal_ext [3]	ZT	GH
krb5_cc_close [4]	ZT	GH
krb5_cc_default [5]	ZT	GH
krb5_cc_default_name [6]	ZT	GH
krb5_cc_destroy [7]	ZT	GH
krb5_cc_dup [8]	ZT	GH
krb5_cc_get_name [9]	ZT	GH
krb5_cc_get_principal [10]	ZT	GH
krb5_cc_get_type [11]	ZT	GH
krb5_cc_initialize [12]	ZT	GH
krb5_cc_new_unique [13]	ZT	GH
krb5_cc_resolve [14]	ZT	GH
krb5_change_password [15]	ZT	GH
krb5_free_context [16]	ZT	GH
krb5_free_error_message [17]	ZT	GH
krb5_free_principal [18]	ZT	GH
krb5_fwd_tgt_cred [19]	ZT	GH	Needs example
krb5_get_default_realm [20]	ZT	GH
krb5_get_error_message [21]	ZT	GH
krb5_get_host_realm [22]	ZT	GH
krb5_get_credentials [23]	ZT	GH
krb5_get_fallback_host_realm [24]	ZT	GH
krb5_get_init_creds_keytab [25]	ZT	GH
krb5_get_init_creds_opt_alloc [26]	ZT	GH
krb5_get_init_creds_opt_free [27]	ZT	GH
krb5_get_init_creds_opt_get_fast_flags [28]	ZT	GH
krb5_get_init_creds_opt_init [29]	ZT	GH
krb5_get_init_creds_opt_set_address_list [30]	ZT	GH
krb5_get_init_creds_opt_set_anonymous [31]	ZT	GH
krb5_get_init_creds_opt_set_canonicalize [32]	ZT	GH
krb5_get_init_creds_opt_set_change_password_prompt [33]	ZT	GH
krb5_get_init_creds_opt_set_etype_list [34]	ZT	GH
krb5_get_init_creds_opt_set_expire_callback [35]	ZT	GH
krb5_get_init_creds_opt_set_fast_ccache [36]	ZT	GH
krb5_get_init_creds_opt_set_fast_ccache_name [37]	ZT	GH
krb5_get_init_creds_opt_set_fast_flags [38]	ZT	GH
krb5_get_init_creds_opt_set_forwardable [39]	ZT	GH
krb5_get_init_creds_opt_set_out_ccache [40]	ZT	GH
krb5_get_init_creds_opt_set_pa [41]	ZT	GH
krb5_get_init_creds_opt_set_preauth_list [42]	ZT	GH
krb5_get_init_creds_opt_set_proxiable [43]	ZT	GH
krb5_get_init_creds_opt_set_renew_life [44]	ZT	GH
krb5_get_init_creds_opt_set_salt [45]	ZT	GH
krb5_get_init_creds_opt_set_tkt_life [46]	ZT	GH
krb5_get_init_creds_password [47]	ZT	GH
krb5_get_profile [48]	ZT	GH
krb5_get_prompt_types [49]	ZT	GH
krb5_get_renewed_creds [50]	ZT	GH
krb5_get_validated_creds [51]	ZT	GH
krb5_init_context [52]	ZT	GH
krb5_init_secure_context [53]	ZT	GH
krb5_is_config_principal [54]	ZT	GH
krb5_is_thread_safe [55]	ZT	GH
krb5_kt_close [56]	ZT	GH
krb5_kt_default [57]	ZT	GH
krb5_kt_default_name [58]	ZT	GH
krb5_kt_get_name [59]	ZT	GH
krb5_kt_get_type [60]	ZT	GH
krb5_kt_resolve [61]	ZT	GH
krb5_kuserok [62]	ZT	GH
krb5_parse_name [63]	ZT	GH
krb5_parse_name_flags [64]	ZT	GH
krb5_principal_compare [65]	ZT	GH
krb5_principal_compare_any_realm [66]	ZT	GH
krb5_principal_compare_flags [67]	ZT	GH
krb5_prompter_posix [68]	ZT	GH
krb5_realm_compare [69]	ZT	GH
krb5_recvauth [70]	ZT	GH
krb5_recvauth_version [71]	ZT	GH
krb5_set_default_realm [72]	ZT	GH
krb5_set_password [73]	ZT	GH
krb5_set_password_using_ccache [74]	ZT	GH
krb5_set_principal_realm [75]	ZT	GH
krb5_set_trace_callback [76]	ZT	GH
krb5_set_trace_filename [77]	ZT	GH
krb5_sname_to_principal [78]	ZT	GH
krb5_unparse_name [79]	ZT	GH
krb5_unparse_name_ext [80]	ZT	GH
krb5_unparse_name_flags [81]	ZT	GH
krb5_unparse_name_flags_ext [82]	ZT	GH
krb5_us_timeofday [83]	ZT	GH
krb5_verify_authdata_kdc_issued [84]	ZT	GH

We may want to have more examples for some of the common API functions.

Manpage proofreading


manpage	original	reviewer	comments
k5identity.5	src/gen-manpages/k5identity.M	GH
k5login.5	src/gen-manpages/k5login.M	GH
k5srvutil.1	src/kadmin/cli/k5srvutil.M	GH
kadmin.1	src/kadmin/cli/kadmin.M	GH
kadmind.8	src/kadmin/server/kadmind.M	GH
kdb5_ldap_util.8	src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M	GH
kdb5_util.8	src/kadmin/dbutil/kdb5_util.M	GH
kdc.conf.5	src/config-files/kdc.conf.M	GH
kdestroy.1	src/clients/kdestroy/kdestroy.M	GH
kinit.1	src/clients/kinit/kinit.M	GH
kpasswd.1	src/clients/kpasswd/kpasswd.M	GH
kprop.8	src/slave/kprop.M	GH
kpropd.8	src/slave/kpropd.M	GH
kproplog.8	src/slave/kproplog.M	GH
krb5-send-pr.1	src/util/send-pr/send-pr.1		copyright issues. Removed from the documentation
krb5.conf.5	src/config-files/krb5.conf.M	GH
krb5kdc.8	src/kdc/krb5kdc.M	GH
ksu.1	src/clients/ksu/ksu.M	GH	needs rewrite
kswitch.1	src/clients/kswitch/kswitch.M	GH
kvno.1	src/clients/kvno/kvno.M	GH
sclient.1	src/appl/sample/sclient/sclient.M	GH
sserver.8	src/appl/sample/sserver/sserver.M	GH

Abbreviations


abbreviation	full names?
GH	Greg Hudson
KR	Ken Raeburn
MIT	MITKC group
NW	Nico Williams
TH	Thomas Hardjono
TY	Tom Yu
ZT	Zhanna Tsitkov

Difference between revisions of "Projects/Documentation Tasks"

Latest revision as of 09:28, 5 June 2013

Contents

Purpose

Application development

Administration

General

API documentation

Manpage proofreading

Abbreviations

Navigation menu

Views

Personal tools

Navigation

Search

Tools

@@ Line 5: / Line 5: @@
 To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.
-{| class="wikitable"
-|+ Matrix of Document-Type VS Intended Readership
-|-
-! Doc-type/Reader
-! Architectural Guide
-! Setup & Config of Kerberos
-! Admin & Operations of Kerberos
-! Custom Build
-! API Description
-! API Details
-|-
-|-
-| End-users || || || || || ||
-|-
-| Architects || || || || || ||
-|-
-|System Admins || || || || || ||
-|-
-|Application Developers || || || || || ||
-|-
-|GSSAPI Developers || || || || || ||
-|-
-|Kerberos Developers || || || || || ||
-|}
@@ Line 45: / Line 19: @@
 |-
 |-
-| Designing a new protocol, or extending existing one, to use GSS-API || NW || || ||
+| Designing a new protocol, or extending existing one, to use GSS-API || || || ||
 |-
 | Choosing security API|| || || ||
 |-
-| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| NW || || ||
+| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || ||
 |-
-| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| NW || || ||
+| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || ||
 |-
 | GSS-API || || || ||
 |-
-| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| NW || || ||
+| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || ||
 |-
-| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| NW || || ||
+| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || ||
 |-
-| <ul><li> How to write mechanism-independent GSS-API code</ul>|| NW || || ||
+| <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || ||
 |-
-| <ul><li>  Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH||2012-03-01|| || DONE
+| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || ||
-|-
-| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| NW || || ||
 |-
 | <ul><li> Using IAKERB</ul>|| || || ||
-|-
-| <ul><li> Anonymous credentials</ul>|| GH ||2012-10-01 || ||
 |-
 | <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || ||
 |-
-| <ul><li> Available extensions</ul>|| NW || || ||
+| <ul><li> Available extensions</ul>|| || || ||
 |-
 | <ul><li> Thread safety</ul>|| KR || || ||
 |-
 | <ul><li> Validating the flags set on the connection  to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||
-|-
-| Developing plugins|| GH ||2012-03-08||  || ready for review
-|-
-| <ul><li> A guide to developing plugins </ul>|| || || || DONE
-|-
-| <ul><li>Overview of existing pluggable interfaces   </ul>|| ||  ||ZT reviewed profile plugin || DONE
 |-
 | Krb5 library guide|| || || ||
 |-
-| <ul><li>  A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || 2012-04-27 ||need examples ||
+| <ul><li> Kerberos prompter behavior</ul>|| || || ||
-|-
-| <ul><li> Kerberos prompter behavior</ul>|| NW || || ||
 |-
 | <ul><li>  An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || || under review
@@ Line 99: / Line 63: @@
 | <ul><li>  krb5_appdefault_* functions and their alternatives </ul>|| || || ||
 |-
-| MIT Kerberos features : quick facts || ZT || ongoing || || DONE
+|}
+{| class="wikitable"
+|+
+|-
+! Completed task
+! Author
+! Date
+! Reviewer
+! Reviewer Comments
+|-
+| Choosing security API|| || || ||
+|-
+| <ul><li>  Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH||2012-03-01|| ||
+|-
+| <ul><li> Anonymous credentials</ul> || GH || 2012-10-01 || ||
+|-
+| Developing plugins|| GH ||2012-03-08||  ||
+|-
+| <ul><li> A guide to developing plugins </ul>|| || || ||
+|-
+| <ul><li>Overview of existing pluggable interfaces   </ul>|| ||  ||ZT reviewed profile plugin ||
+|-
+| A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential|| TY || 2012-04-27 || ||
+|-
+| MIT Kerberos features : quick facts || ZT || ongoing || ||
 |-
-| How to build Kerberos from source || ZT || || || DONE
+| How to build Kerberos from source || ZT || || ||
 |-
 |}
@@ Line 118: / Line 107: @@
 | Introduction to Kerberos system || || || ||
 |-
-|<ul><li>Man page </ul>|| TH || 2012-07-15|| ||
+|<ul><li>Man page </ul>|| TH || 2012-08-15|| || in progress
 |-
-|<ul><li>General overview</ul>|| TH ||2012-07-15 || ||
+|<ul><li>General overview</ul>|| TH ||2012-08-15 || ||
+|-
+|<ul><li>Intro for admins</ul>|| TH ||2012-08-15 || ||
+|-
+|<ul><li>Technical overview</ul>|| TH ||2012-07-15 || ||in progress
 |-
 |Setting a new realm|| || || ||
 |-
 |<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||
-|-
-|<ul><li>Replication</ul>|| ZT|| || || DONE
 |-
 |<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || ||
 |-
-| Reverse DNS|| TY|| 2012-10-01|| ||
+| Choosing encryption types for principals|| TY|| 2012-12-14|| ||under review
 |-
-| Choosing encryption types for principals|| TY|| 2012-10-01|| ||
+| Upgrading a Kerberos infrastructure (order, backward compatibility) || || || ||
 |-
 | Integration Kerberos with Login System|| || || ||
@@ Line 140: / Line 127: @@
 | <ul><li> Validating Kerberos tickets</ul>|| || || ||
 |-
-| <ul><li> Clear text password over HTTPS </ul>|| NW || || ||
+| <ul><li> Clear text password over HTTPS </ul>|| || || ||
 |-
-| <ul><li> Configuring with pam_krb5 module</ul>|| NW || || ||
+| <ul><li> Configuring with pam_krb5 module</ul>|| || || ||
 |-
 | <ul><li> Storing/locating keytab</ul>|| || || ||
@@ Line 166: / Line 153: @@
 | Using Smartcard with PKINIT|| || || ||
 |-
-| Kerberized ssh|| NW || || ||
+| Kerberized ssh|| || || ||
 |-
 | <ul><li> Configuration</ul>|| || || ||
@@ Line 172: / Line 159: @@
 | <ul><li>Cross-realm and ssh</ul>|| || || ||
 |-
-| Selecting and configuring plugins|| GH ||2012-03-15|| || DONE
+| A guide to principal naming basics and structure|| ZT ||2013-03-01 || ||
-|-
-| Anonymity support|| GH ||2012-10-01 || ||
-|-
-| A guide to principal naming basics and structure|| || || ||
 |-
 | Troubleshooting|| || || ||
 |-
 | <ul><li>Troubleshooting  errors</ul> || ZT || ongoing|| ||
-|-
-| <ul><li>Trace logging</ul>||GH ||2012-03-22|| ||DONE
 |-
 | <ul><li>Realm renaming </ul>|| || || ||
 |-
-| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid) DONE
+| <ul><li> Forgot Kerberos Master Key|| GH || || ||
 |-
 | Basic concepts (passwd policy, ticket ) || || || ||
@@ Line 192: / Line 173: @@
 | Approaches to authorization -- centralized vs distributed, etc. || || || ||
 |-
-| Acceptable date and time formats || ZT || 2012-07-15 || ||DONE
+|}
+{| class="wikitable"
+|+
 |-
-| kadm5.acl man page  || ZT || 2012-08-15 || ||
+! Completed task
+! Author
+! Date
+! Reviewer
+! Reviewer Comments
+|-
+| Replication || ZT|| || ||
+|-
+| Reverse DNS|| TY|| 2012-12-12|| ||
+|-
+| Selecting and configuring plugins|| GH ||2012-03-15|| ||
+|-
+| Anonymity support|| GH ||2012-10-01 || ||
+|-
+| Trace logging ||GH ||2012-03-22|| ||
+|-
+| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid)
+|-
+| Acceptable date and time formats || ZT || 2012-07-15 || ||
+|-
+| kadm5.acl man page  || ZT || 2012-08-15 || ||
+|-
+|}
+== General ==
+{| class="wikitable"
+|+
+|-
+! task
+! Proposed Author
+! Target Date
+! Reviewer
+! Reviewer Comments
+|-
+| Why Kerberos system is suitable for the internet, not only for the enterprise || TY || || ||
+|-
+| Impact RC4 vulnerabilities on Kerberos || TY || || ||
 |-
 |}
@@ Line 200: / Line 222: @@
 == API documentation ==
-===Most commonly used API functions (in alphabetical order)===
+Most commonly used API functions (in alphabetical order):
 {| class="wikitable"
 |+ Tier 1 - Highest priority
 |-
-! API
+! Completed API
-! Proposed Author
+!  Author
 ! Reviewer
-! Target Date
+!  Date
 ! Reviewer Comments
 |-
@@ Line 381: / Line 404: @@
 |-
 |}
-We may want to have more examples for some of the common API funcitons.
+We may want to have more examples for some of the common API functions.
 == Manpage proofreading ==