https://k5wiki.kerberos.org/wiki?action=history&feed=atom&title=Ops_feedback_notes_2014-11-04Ops feedback notes 2014-11-04 - Revision history2026-05-04T15:07:55ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.kerberos.org/wiki?title=Ops_feedback_notes_2014-11-04&diff=5421&oldid=prevTomYu: New page: {{opsnotes|2014}} ==FIPS 140== Often people wave hands and say their Kerberos installation is "LoA 2". Need cert-based to get higher LoAs. Using cert-based auth for more sensitive stuf...2014-11-06T23:41:42Z<p>New page: {{opsnotes|2014}} ==FIPS 140== Often people wave hands and say their Kerberos installation is "LoA 2". Need cert-based to get higher LoAs. Using cert-based auth for more sensitive stuf...</p>
<p><b>New page</b></p><div>{{opsnotes|2014}}<br />
<br />
==FIPS 140==<br />
<br />
Often people wave hands and say their Kerberos installation is "LoA 2". Need cert-based to get higher LoAs. Using cert-based auth for more sensitive stuff. PKINIT for higher LoAs for Kerberos is interesting. Smart Card Windows login to ssh to Unix systems. Hop-by-hop forwarding of agent connection, etc. There are PuTTY patches for GSS-keyex with cascading creds.<br />
<br />
==Devops==<br />
<br />
Often sites will do customized builds in-house. For testing, some have QA environments that duplicate entire production KDC setup; others incrementally stage software changes via slave KDCs. It's best to allow for the testing-slave approach because full environment duplication is expensive.</div>TomYu