logo_kerberos.gif

Release Meeting Minutes/2012-04-17

From K5Wiki
Jump to: navigation, search


Will Fiveash, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu

Encrypted timestamp preauth

Will
granularity of error handling on init_creds. Invalid password different from principal not found. Is reasonable to treat differently in terms of fallback? Maybe clients should know about KDC policies.
Greg
n-strikes -- strikes are not against the person, but the account object. Purpose is to mitigate attacks. Some suggestions about tracking password failures by source IP address; that's not necessarily helpful due to spoofing, NATs, etc.
Will
Errors from propagation delays -- either password changes or principal creation.
Simo
Lockout counts are not replicated in AD.
Greg
There's currently no protection against trying a KDC twice (1.3.1 master KDC behavior changes).
Simo
Maybe they didn't know about lockout count independence. Or maybe pass info about which KDCs have been tried.
Greg
Might want to track which KDCs you've talked to for other reasons, e.g. SAM preauth (causes KDC to create some state). Currently not enough state passed around; would need code rearrangement. On the bright side, sendto_kdc is a private interface, so we can change it more easily.
WIll
Bug we introduced -- non-PKINIT preauth. Ended up sending encrypted timestamp preauth in first AS-REQ. If principal doesn't have a key for that enctype... Solaris was using aes256; principal didn't have AES key. KDC said preauth failed. Asked Microsoft whether it would be a strike (against password failure lockout); he said no. MIT gives preauth failed.
Greg
Encrypted timestamp doesn't distinguish between wrong key and no key.
Will
optimistic preauth
Greg
So you don't want a "strike" in that case. Preauth failed ... Sam wanted to try different mechs. Retry once...
Will
Additional data?
Greg
Can define e-data. Encrypted timestamp doesn't.
Tom
AD might send some non-standard errors.
Will
Forwarded some messages to you. ETYPE_NOSUPP...

GSS extensions

Simo
Nico sent message to kitten ... 2 weeks ago. Simon mostly in favor. No objections.
Greg
Didn't see any serious objections. People wanted to make sure the exported form contained a reference to a store, not the actual creds. Project proposal, for documentation purposes at least. Github fork probably best way to contribute for now.
Simo
Attributions wrong...
Greg
Will manually attribute in commit; we'll work out policy for how to handle it for when we have done the git cutover.
Simo
Will clean up and let you know.
Simo
Export/import cred more important than partial sec context export.

IRC logging

Tom
We're losing lopbot, so possibly no logging of #krbdev soon. Might get a minimal replacement for logging. Do people care about haps in logging?
Will
Would be nice to have logs.

Release planning

Will
Verify init creds -- pick based on keytab contents. Try all host/* principals. Will submit patch via git.