Release Meeting Minutes/2012-04-17
From K5Wiki
Will Fiveash, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu
Encrypted timestamp preauth
- Will
- granularity of error handling on init_creds. Invalid password different from principal not found. Is reasonable to treat differently in terms of fallback? Maybe clients should know about KDC policies.
- Greg
- n-strikes -- strikes are not against the person, but the account object. Purpose is to mitigate attacks. Some suggestions about tracking password failures by source IP address; that's not necessarily helpful due to spoofing, NATs, etc.
- Will
- Errors from propagation delays -- either password changes or principal creation.
- Simo
- Lockout counts are not replicated in AD.
- Greg
- There's currently no protection against trying a KDC twice (1.3.1 master KDC behavior changes).
- Simo
- Maybe they didn't know about lockout count independence. Or maybe pass info about which KDCs have been tried.
- Greg
- Might want to track which KDCs you've talked to for other reasons, e.g. SAM preauth (causes KDC to create some state). Currently not enough state passed around; would need code rearrangement. On the bright side, sendto_kdc is a private interface, so we can change it more easily.
- WIll
- Bug we introduced -- non-PKINIT preauth. Ended up sending encrypted timestamp preauth in first AS-REQ. If principal doesn't have a key for that enctype... Solaris was using aes256; principal didn't have AES key. KDC said preauth failed. Asked Microsoft whether it would be a strike (against password failure lockout); he said no. MIT gives preauth failed.
- Greg
- Encrypted timestamp doesn't distinguish between wrong key and no key.
- Will
- optimistic preauth
- Greg
- So you don't want a "strike" in that case. Preauth failed ... Sam wanted to try different mechs. Retry once...
- Will
- Additional data?
- Greg
- Can define e-data. Encrypted timestamp doesn't.
- Tom
- AD might send some non-standard errors.
- Will
- Forwarded some messages to you. ETYPE_NOSUPP...
GSS extensions
- Simo
- Nico sent message to kitten ... 2 weeks ago. Simon mostly in favor. No objections.
- Greg
- Didn't see any serious objections. People wanted to make sure the exported form contained a reference to a store, not the actual creds. Project proposal, for documentation purposes at least. Github fork probably best way to contribute for now.
- Simo
- Attributions wrong...
- Greg
- Will manually attribute in commit; we'll work out policy for how to handle it for when we have done the git cutover.
- Simo
- Will clean up and let you know.
- Simo
- Export/import cred more important than partial sec context export.
IRC logging
- Tom
- We're losing lopbot, so possibly no logging of #krbdev soon. Might get a minimal replacement for logging. Do people care about haps in logging?
- Will
- Would be nice to have logs.
Release planning
- Will
- Verify init creds -- pick based on keytab contents. Try all host/* principals. Will submit patch via git.