logo_kerberos.gif

Release Meeting Minutes/2012-04-24

From K5Wiki
Jump to: navigation, search


Will Fiveash, Thomas Hardjono, Greg Hudson, Nathaniel McCallum, Simo Sorce, Zhanna Tsitkov, Tom Yu

Git migration

Tom
Git migration in progress. krb5-test repository. expect some chance of partial/complete rewrite of history if we come across any critical problems (svn merge ticket can cause rebase to choke?) Tentative cutover is weekend of 2012-05-11.
Nathaniel
filter-branch? change parents, or reapply patchset.
Tom
Is it a good idea to avoid filter-branch generally?
Nathaniel
It's easy to make disasters.

Branch office KDCs

Simo
Reducing exposure in case branch office is taken over. Subset of keys? Probably read-only, but not necessarily. User gets TGT from branch office KDC, but talks to service not keyed by branch office KC. Use different TGT keys, also master key. Main KDC should have all branch office TGT keys.
Greg
Microsoft uses kvno. Try to avoid high bit in kvno for interop reasons.

Greg and Simo discuss some alternatives, including branch office KDC having a protocol for wrapping the TGS-REQ/REP to/from the master on behalf of the client, or possibly acting simply as a packet forwarder.


Simo
For requesting a TGT. Non-branch user wants TGT. Branch KDC can impersonate services to that user.
Greg
Legitimate security concern. Subdomains of control -- minimizing impact of compromise. AD-style cross-realm invented to deal with this.
Simo
Useful to have stable principal names. Also handling multiple realms not so greta. Don't want to make clients too smart... they're harder to update.
Greg
IP addresses may need wrappers.
Simo
Plugin for proxy wrapper for talking to master KDC.
Tom
Any plugin interface for this is going to be complex itself.