logo_kerberos.gif

Difference between revisions of "Projects/Documentation Tasks"

From K5Wiki
Jump to: navigation, search
(Updated Administration tasks list)
m (Administration)
 
(53 intermediate revisions by 5 users not shown)
Line 6: Line 6:
   
   
  +
  +
== Application development ==
   
 
{| class="wikitable"
 
{| class="wikitable"
|+ Matrix of Document-Type VS Intended Readership
 
  +
|+
 
|-
 
|-
! Doc-type/Reader
 
  +
! task
! Architectural Guide
 
  +
! Proposed Author
! Setup & Config of Kerberos
 
  +
! Target Date
! Admin & Operations of Kerberos
 
  +
! Reviewer
! Custom Build
 
  +
! Reviewer Comments
! API Description
 
! API Details
 
 
|-
 
|-
 
|-
 
|-
| End-users || || || || || ||
 
  +
| Designing a new protocol, or extending existing one, to use GSS-API || || || ||
 
|-
 
|-
| Architects || || || || || ||
+
| Choosing security API|| || || ||
 
|-
 
|-
|System Admins || || || || || ||
+
| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || ||
 
|-
 
|-
|Application Developers || || || || || ||
 
  +
| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || ||
 
|-
 
|-
|GSSAPI Developers || || || || || ||
+
| GSS-API || || || ||
 
|-
 
|-
|Kerberos Developers || || || || || ||
 
  +
| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || ||
|}
 
 
 
== Application development ==
 
 
{| class="wikitable"
 
|+
 
 
|-
 
|-
! task
 
  +
| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || ||
! who writes?
 
! who reviews?
 
! reviewed?
 
! comments
 
 
|-
 
|-
  +
| <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || ||
 
|-
 
|-
| A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues|| || || ||
+
| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || ||
 
|-
 
|-
| How to get servers to use any key in a keytab|| || || ||
 
  +
| <ul><li> Using IAKERB</ul>|| || || ||
 
|-
 
|-
| How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is|| || || ||
 
  +
| <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || ||
 
|-
 
|-
| How to write mechanism-independent GSS-API code and when to do so|| || || ||
 
  +
| <ul><li> Available extensions</ul>|| || || ||
 
|-
 
|-
| SASL: how to use it, and how it interacts with GSS-API|| || || ||
 
  +
| <ul><li> Thread safety</ul>|| KR || || ||
 
|-
 
|-
| A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credentials|| || || ||
 
  +
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||
 
|-
 
|-
| An introduction to ticket caches and keytabs and their corresponding APIs|| || || ||
 
  +
| Krb5 library guide|| || || ||
 
|-
 
|-
| An advanced guide to the pre-auth mechanisms, FAST|| || || ||
 
  +
| <ul><li> Kerberos prompter behavior</ul>|| || || ||
 
|-
 
|-
| An advanced guide to the principal manipulation and parsing|| || || ||
 
  +
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || || under review
 
|-
 
|-
| A guide to GSS-API naming as compared to Kerberos principal naming|| || || ||
+
| <ul><li> An advanced guide to the pre-auth mechanisms, FAST</ul>|| || || ||
 
|-
 
|-
| A guide to the similarities and differences between Heimdal and MIT Kerberos API|| || || ||
+
| <ul><li> An advanced guide to the principal manipulation and parsing</ul>|| TY || TBD || ||
 
|-
 
|-
| MIT Kerberos features : quick facts || ZT || || || ongoing ||
 
  +
| <ul><li> Thread safety</ul>|| KR || || ||
  +
|-
  +
| <ul><li> Password change including the automatic internal support for password change on expired passwords if a prompter is provided</ul>|| || || ||
  +
|-
  +
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || ||
 
|-
 
|-
 
|}
 
|}
   
  +
{| class="wikitable"
  +
|+
  +
|-
  +
! Completed task
  +
! Author
  +
! Date
  +
! Reviewer
  +
! Reviewer Comments
  +
|-
  +
| Choosing security API|| || || ||
  +
|-
  +
| <ul><li> Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH||2012-03-01|| ||
  +
|-
  +
| <ul><li> Anonymous credentials</ul> || GH || 2012-10-01 || ||
  +
|-
  +
| Developing plugins|| GH ||2012-03-08|| ||
  +
|-
  +
| <ul><li> A guide to developing plugins </ul>|| || || ||
  +
|-
  +
| <ul><li>Overview of existing pluggable interfaces </ul>|| || ||ZT reviewed profile plugin ||
  +
|-
  +
| A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential|| TY || 2012-04-27 || ||
  +
|-
  +
| MIT Kerberos features : quick facts || ZT || ongoing || ||
  +
|-
  +
| How to build Kerberos from source || ZT || || ||
  +
|-
  +
|}
   
 
== Administration ==
 
== Administration ==
Line 78: Line 100:
 
|-
 
|-
 
! task
 
! task
! who writes?
 
  +
! Proposed Author
! who reviews?
 
  +
! Target Date
! reviewed?
 
  +
! Reviewer
! comments
 
  +
! Reviewer Comments
 
|-
 
|-
  +
| Introduction to Kerberos system || || || ||
  +
|-
  +
|<ul><li>Man page </ul>|| TH || 2012-08-15|| || in progress
  +
|-
  +
|<ul><li>General overview</ul>|| TH ||2012-08-15 || ||
  +
|-
  +
|<ul><li>Intro for admins</ul>|| TH ||2012-08-15 || ||
  +
|-
  +
|<ul><li>Technical overview</ul>|| TH ||2012-07-15 || ||in progress
 
|-
 
|-
 
|Setting a new realm|| || || ||
 
|Setting a new realm|| || || ||
Line 88: Line 119:
 
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||
 
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||
 
|-
 
|-
|<ul><li>Replication</ul>|| || || ||
+
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || ||
  +
|-
  +
| Choosing encryption types for principals|| TY|| 2012-12-14|| ||under review
  +
|-
  +
| Upgrading a Kerberos infrastructure (order, backward compatibility) || || || ||
 
|-
 
|-
 
| Integration Kerberos with Login System|| || || ||
 
| Integration Kerberos with Login System|| || || ||
  +
|-
  +
| <ul><li> Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment</ul>|| || || ||
 
|-
 
|-
 
| <ul><li> Validating Kerberos tickets</ul>|| || || ||
 
| <ul><li> Validating Kerberos tickets</ul>|| || || ||
Line 96: Line 129:
 
| <ul><li> Clear text password over HTTPS </ul>|| || || ||
 
| <ul><li> Clear text password over HTTPS </ul>|| || || ||
 
|-
 
|-
| <ul><li> Configuring with krb5_pam module</ul>|| || || ||
+
| <ul><li> Configuring with pam_krb5 module</ul>|| || || ||
 
|-
 
|-
 
| <ul><li> Storing/locating keytab</ul>|| || || ||
 
| <ul><li> Storing/locating keytab</ul>|| || || ||
Line 103: Line 136:
 
|-
 
|-
 
| <ul><li>cross-realm interaction with AD </ul>|| || || ||
 
| <ul><li>cross-realm interaction with AD </ul>|| || || ||
  +
|-
  +
| <ul><li> Transitive trust</ul>|| || || ||
  +
|-
  +
| <ul><li> Referrals</ul>|| || || ||
 
|-
 
|-
 
| Performance|| || || ||
 
| Performance|| || || ||
Line 110: Line 147:
 
| <ul><li> Performance tradeoffs</ul>|| || || ||
 
| <ul><li> Performance tradeoffs</ul>|| || || ||
 
|-
 
|-
| Keying workstation/ host key setting|| || || ||
+
| kadmin interface|| || || ||
  +
|-
  +
| <ul><li> Keying workstation/ host key setting</ul>|| || || ||
 
|-
 
|-
 
| Using Smartcard with PKINIT|| || || ||
 
| Using Smartcard with PKINIT|| || || ||
|-
 
| Selecting and configuring plugins|| || || ||
 
 
|-
 
|-
 
| Kerberized ssh|| || || ||
 
| Kerberized ssh|| || || ||
Line 122: Line 157:
 
| <ul><li>Cross-realm and ssh</ul>|| || || ||
 
| <ul><li>Cross-realm and ssh</ul>|| || || ||
 
|-
 
|-
| Selecting and configuring plugins|| GH || || ||
 
  +
| A guide to principal naming basics and structure|| ZT ||2013-03-01 || ||
 
|-
 
|-
| Anonymity support|| || || ||
+
| Troubleshooting|| || || ||
 
|-
 
|-
| A guide to principal naming basics and structure|| || || ||
 
  +
| <ul><li>Troubleshooting errors</ul> || ZT || ongoing|| ||
 
|-
 
|-
| Troubleshooting|| || || ||
+
| <ul><li>Realm renaming </ul>|| || || ||
 
|-
 
|-
| <ul><li>Troubleshooting errors</ul> || || || ||
+
| <ul><li> Forgot Kerberos Master Key|| GH || || ||
 
|-
 
|-
| <ul><li>Trace logging</ul>|| || || ||
 
  +
| Basic concepts (passwd policy, ticket ) || || || ||
 
|-
 
|-
| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid) ||
 
  +
| Approaches to authorization -- centralized vs distributed, etc. || || || ||
 
|-
 
|-
 
|}
 
|}
   
  +
  +
{| class="wikitable"
  +
|+
  +
|-
  +
! Completed task
  +
! Author
  +
! Date
  +
! Reviewer
  +
! Reviewer Comments
  +
|-
  +
| Replication || ZT|| || ||
  +
|-
  +
| Reverse DNS|| TY|| 2012-12-12|| ||
  +
|-
  +
| Selecting and configuring plugins|| GH ||2012-03-15|| ||
  +
|-
  +
| Anonymity support|| GH ||2012-10-01 || ||
  +
|-
  +
| Trace logging ||GH ||2012-03-22|| ||
  +
|-
  +
| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid)
  +
|-
  +
| Acceptable date and time formats || ZT || 2012-07-15 || ||
  +
|-
  +
| kadm5.acl man page || ZT || 2012-08-15 || ||
  +
|-
  +
|}
  +
  +
== General ==
  +
  +
{| class="wikitable"
  +
|+
  +
|-
  +
! task
  +
! Proposed Author
  +
! Target Date
  +
! Reviewer
  +
! Reviewer Comments
  +
|-
  +
| Why Kerberos system is suitable for the internet, not only for the enterprise || TY || || ||
  +
|-
  +
| Impact RC4 vulnerabilities on Kerberos || TY || || ||
  +
|-
  +
|}
   
 
== API documentation ==
 
== API documentation ==
   
===Most commonly used API functions (in alphabetical order)===
 
  +
  +
Most commonly used API functions (in alphabetical order):
   
 
{| class="wikitable"
 
{| class="wikitable"
 
|+ Tier 1 - Highest priority
 
|+ Tier 1 - Highest priority
 
|-
 
|-
! API
+
! Completed API
! who writes?
+
! Author
! who reviews?
+
! Reviewer
! reviewed?
+
! Date
! comments
+
! Reviewer Comments
 
|-
 
|-
 
|-
 
|-
| krb5_build_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal.html]|| ZT || || ||
+
| krb5_build_principal [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_build_principal.html]|| ZT || GH|| ||
 
|-
 
|-
|krb5_build_principal_alloc_va [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_alloc_va.html] || ZT || || ||
+
|krb5_build_principal_alloc_va [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_build_principal_alloc_va.html] || ZT || GH|| ||
 
|-
 
|-
| krb5_build_principal_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_ext.html]|| ZT || || ||
+
| krb5_build_principal_ext [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_build_principal_ext.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_cc_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_close.html] || || || ||
+
| krb5_cc_close [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_close.html] ||ZT ||GH || ||
 
|-
 
|-
| krb5_cc_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default.html]|| ZT|| || ||
+
| krb5_cc_default [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_default.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_cc_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default_name.html]|| ZT|| || ||
+
| krb5_cc_default_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_default_name.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_cc_destroy [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_destroy.html]|| ZT|| || ||
+
| krb5_cc_destroy [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_destroy.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_cc_dup [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_dup.html]|| ZT|| || ||
+
| krb5_cc_dup [http://web.mit.edu/kerberos/krb5-current/dockrb_appldev/refs/api/krb5_cc_dup.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_cc_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_name.html]|| ZT || || ||
+
| krb5_cc_get_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_get_name.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_cc_get_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_principal.html]|| ZT || || ||
+
| krb5_cc_get_principal [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_get_principal.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_cc_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_type.html]|| ZT || || ||
+
| krb5_cc_get_type [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_get_type.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_cc_initialize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_initialize.html]|| ZT|| || ||
+
| krb5_cc_initialize [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_initialize.html]|| ZT||GH || ||
 
|-
 
|-
| krb5_cc_new_unique [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_new_unique.html]|| ZT|| || ||
+
| krb5_cc_new_unique [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_new_unique.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_cc_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_resolve.html]|| ZT|| || ||
+
| krb5_cc_resolve [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_cc_resolve.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_change_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_change_password.html]|| ZT|| || ||
+
| krb5_change_password [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_change_password.html]|| ZT||GH || ||
 
|-
 
|-
| krb5_free_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_context.html]|| ZT|| || ||
+
| krb5_free_context [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_free_context.html]|| ZT|| GH|| ||
 
|-
 
|-
| krb5_free_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_error_message.html]|| ZT || || ||
+
| krb5_free_error_message [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_free_error_message.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_free_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_principal.html]|| ZT || || ||
+
| krb5_free_principal [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_free_principal.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_fwd_tgt_cred [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_fwd_tgt_cred.html]|| ZT || || || Needs example ||
+
| krb5_fwd_tgt_cred [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_fwd_tgt_cred.html]|| ZT || GH|| || Needs example
 
|-
 
|-
| krb5_get_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_default_realm.html]|| ZT || || ||
+
| krb5_get_default_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_default_realm.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_error_message.html]|| ZT || || ||
+
| krb5_get_error_message [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_error_message.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_host_realm.html]|| ZT || || ||
+
| krb5_get_host_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_host_realm.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_credentials [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_credentials.html]|| ZT || || ||
+
| krb5_get_credentials [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_credentials.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_fallback_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_fallback_host_realm.html]|| || || ||
+
| krb5_get_fallback_host_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_fallback_host_realm.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_keytab [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_keytab.html]|| ZT || || ||
+
| krb5_get_init_creds_keytab [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_keytab.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_alloc [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_alloc.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_alloc [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_alloc.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_free [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_free.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_free [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_free.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_get_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_get_fast_flags.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_get_fast_flags [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_init [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_init.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_init [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_init.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_address_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_address_list.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_address_list [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_address_list.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_anonymous [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_anonymous.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_anonymous [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_anonymous.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_canonicalize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_canonicalize.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_canonicalize [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_change_password_prompt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_change_password_prompt [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_etype_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_etype_list.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_etype_list [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_etype_list.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_expire_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_expire_callback.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_expire_callback [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_fast_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_fast_ccache [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_fast_ccache_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_fast_ccache_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_flags.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_fast_flags [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_forwardable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_forwardable.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_forwardable [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_forwardable.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_out_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_out_ccache.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_out_ccache [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_pa [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_pa.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_pa [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_pa.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_preauth_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_preauth_list.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_preauth_list [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_proxiable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_proxiable.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_proxiable [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_proxiable.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_renew_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_renew_life.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_renew_life [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_renew_life.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_salt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_salt.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_salt [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_salt.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_opt_set_tkt_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_tkt_life.html]|| ZT || || ||
+
| krb5_get_init_creds_opt_set_tkt_life [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_init_creds_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_password.html]|| ZT || || ||
+
| krb5_get_init_creds_password [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_init_creds_password.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_profile [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_profile.html]|| ZT || || ||
+
| krb5_get_profile [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_profile.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_prompt_types [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_prompt_types.html]|| ZT || || ||
+
| krb5_get_prompt_types [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_prompt_types.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_get_renewed_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_renewed_creds.html]|| ZT || || ||
+
| krb5_get_renewed_creds [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_renewed_creds.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_get_validated_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_validated_creds.html]|| ZT || || ||
+
| krb5_get_validated_creds [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_get_validated_creds.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_init_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_context.html]|| ZT || || ||
+
| krb5_init_context [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_init_context.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_init_secure_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_secure_context.html]|| ZT || || ||
+
| krb5_init_secure_context [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_init_secure_context.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_is_config_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_config_principal.html]|| ZT || || ||
+
| krb5_is_config_principal [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_is_config_principal.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_is_thread_safe [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_thread_safe.html]|| ZT || || ||
+
| krb5_is_thread_safe [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_is_thread_safe.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_kt_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_close.html]|| ZT || || ||
+
| krb5_kt_close [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_close.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_kt_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default.html]|| ZT || || ||
+
| krb5_kt_default [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_default.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_kt_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default_name.html]|| ZT || || ||
+
| krb5_kt_default_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_default_name.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_kt_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_name.html]|| ZT || || ||
+
| krb5_kt_get_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_get_name.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_kt_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_type.html] || ZT || || ||
+
| krb5_kt_get_type [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_get_type.html] || ZT ||GH || ||
 
|-
 
|-
| krb5_kt_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_resolve.html]|| ZT || || ||
+
| krb5_kt_resolve [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kt_resolve.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_kuserok [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kuserok.html] || ZT || || ||
+
| krb5_kuserok [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_kuserok.html] || ZT ||GH || ||
 
|-
 
|-
| krb5_parse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name.html]|| ZT || || ||
+
| krb5_parse_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_parse_name.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_parse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name_flags.html]|| ZT || || ||
+
| krb5_parse_name_flags [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_parse_name_flags.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_principal_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare.html]|| ZT || || ||
+
| krb5_principal_compare [http://web.mit.edu/kerberos/krb5-current/dockrb_appldev/refs/api/krb5_principal_compare.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_principal_compare_any_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_any_realm.html]|| ZT || || ||
+
| krb5_principal_compare_any_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_principal_compare_any_realm.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_principal_compare_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_flags.html]|| ZT || || ||
+
| krb5_principal_compare_flags [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_principal_compare_flags.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_prompter_posix [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_prompter_posix.html]|| || || ||
+
| krb5_prompter_posix [http://web.mit.edu/kerberos/krb5-current/dockrb_appldev/refs/api/krb5_prompter_posix.html]|| ZT||GH || ||
 
|-
 
|-
| krb5_realm_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_realm_compare.html]|| ZT || || ||
+
| krb5_realm_compare [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_realm_compare.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_recvauth [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth.html]|| || || ||
+
| krb5_recvauth [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_recvauth.html]||ZT ||GH || ||
 
|-
 
|-
| krb5_recvauth_version [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth_version.html] || || || ||
+
| krb5_recvauth_version [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_recvauth_version.html] ||ZT ||GH || ||
 
|-
 
|-
| krb5_set_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_default_realm.html]|| ZT || || ||
+
| krb5_set_default_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_default_realm.html]|| ZT ||GH || ||
 
|-
 
|-
| krb5_set_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password.html]|| ZT || || ||
+
| krb5_set_password [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_password.html]|| ZT || GH|| ||
 
|-
 
|-
| krb5_set_password_using_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password_using_ccache.html] || ZT || || ||
+
| krb5_set_password_using_ccache [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_password_using_ccache.html] || ZT ||GH || ||
 
|-
 
|-
| krb5_set_principal_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_principal_realm.html] || ZT || || ||
+
| krb5_set_principal_realm [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_principal_realm.html] || ZT || GH|| ||
  +
|-
  +
| krb5_set_trace_callback [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_trace_callback.html]|| ZT ||GH || ||
  +
|-
  +
| krb5_set_trace_filename [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_set_trace_filename.html]|| ZT ||GH || ||
  +
|-
  +
| krb5_sname_to_principal [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_sname_to_principal.html]|| ZT ||GH || ||
  +
|-
  +
| krb5_unparse_name [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_unparse_name.html]|| ZT || GH|| ||
  +
|-
  +
| krb5_unparse_name_ext [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_unparse_name_ext.html]|| ZT ||GH || ||
  +
|-
  +
| krb5_unparse_name_flags [http://web.mit.edu/kerberos/krb5-current/dockrb_appldev/refs/api/krb5_unparse_name_flags.html] || ZT || GH|| ||
  +
|-
  +
| krb5_unparse_name_flags_ext [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_unparse_name_flags_ext.html] || ZT ||GH || ||
  +
|-
  +
| krb5_us_timeofday [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_us_timeofday.html]|| ZT || GH|| ||
  +
|-
  +
| krb5_verify_authdata_kdc_issued [http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/krb5_verify_authdata_kdc_issued.html]|| ZT || GH|| ||
  +
|-
  +
|}
  +
We may want to have more examples for some of the common API functions.
  +
  +
== Manpage proofreading ==
  +
{| class="wikitable"
  +
|+
  +
|-
  +
! manpage
  +
! original
  +
! reviewer
  +
! comments
  +
|-
  +
| k5identity.5 || src/gen-manpages/k5identity.M || GH ||
  +
|-
  +
| k5login.5 || src/gen-manpages/k5login.M || GH ||
  +
|-
  +
| k5srvutil.1 || src/kadmin/cli/k5srvutil.M || GH ||
  +
|-
  +
| kadmin.1 || src/kadmin/cli/kadmin.M || GH ||
  +
|-
  +
| kadmind.8 || src/kadmin/server/kadmind.M || GH ||
  +
|-
  +
| kdb5_ldap_util.8 || src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M || GH ||
  +
|-
  +
| kdb5_util.8 || src/kadmin/dbutil/kdb5_util.M || GH ||
  +
|-
  +
| kdc.conf.5 || src/config-files/kdc.conf.M || GH ||
  +
|-
  +
| kdestroy.1 || src/clients/kdestroy/kdestroy.M || GH ||
  +
|-
  +
| kinit.1 || src/clients/kinit/kinit.M || GH ||
  +
|-
  +
| kpasswd.1 || src/clients/kpasswd/kpasswd.M || GH ||
  +
|-
  +
| kprop.8 || src/slave/kprop.M || GH ||
  +
|-
  +
| kpropd.8 || src/slave/kpropd.M || GH ||
  +
|-
  +
| kproplog.8 || src/slave/kproplog.M || GH ||
  +
|-
  +
| krb5-send-pr.1 || src/util/send-pr/send-pr.1 || || copyright issues. Removed from the documentation
  +
|-
  +
| krb5.conf.5 || src/config-files/krb5.conf.M || GH ||
  +
|-
  +
| krb5kdc.8 || src/kdc/krb5kdc.M || GH ||
  +
|-
  +
| ksu.1 || src/clients/ksu/ksu.M || GH || needs rewrite
  +
|-
  +
| kswitch.1 || src/clients/kswitch/kswitch.M || GH ||
  +
|-
  +
| kvno.1 || src/clients/kvno/kvno.M || GH ||
  +
|-
  +
| sclient.1 || src/appl/sample/sclient/sclient.M || GH ||
  +
|-
  +
| sserver.8 || src/appl/sample/sserver/sserver.M || GH ||
  +
|}
  +
  +
== Abbreviations ==
  +
  +
{| class="wikitable"
  +
|+
 
|-
 
|-
| krb5_set_trace_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_callback.html]|| ZT || || ||
 
  +
! abbreviation
  +
! full names?
 
|-
 
|-
| krb5_set_trace_filename [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_filename.html]|| ZT || || ||
 
 
|-
 
|-
| krb5_sname_to_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_sname_to_principal.html]|| ZT || || ||
 
  +
| GH || Greg Hudson
 
|-
 
|-
| krb5_unparse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name.html]|| ZT || || ||
 
  +
| KR || Ken Raeburn
 
|-
 
|-
| krb5_unparse_name_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_ext.html]|| ZT || || ||
 
  +
| MIT || MITKC group
 
|-
 
|-
| krb5_unparse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags.html] || ZT || || ||
 
  +
| NW || Nico Williams
 
|-
 
|-
| krb5_unparse_name_flags_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags_ext.html] || ZT || || ||
 
  +
| TH || Thomas Hardjono
 
|-
 
|-
| krb5_us_timeofday [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_us_timeofday.html]|| ZT || || ||
 
  +
| TY || Tom Yu
 
|-
 
|-
| krb5_verify_authdata_kdc_issued [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_verify_authdata_kdc_issued.html]|| ZT || || ||
 
  +
| ZT || Zhanna Tsitkov
 
|-
 
|-
 
|}
 
|}

Latest revision as of 09:28, 5 June 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.


Application development

task Proposed Author Target Date Reviewer Reviewer Comments
Designing a new protocol, or extending existing one, to use GSS-API
Choosing security API
  • GSS-API vs SASL vs KRB5
  • A guide to the similarities and differences between Heimdal and MIT Kerberos API
GSS-API
  • A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues
  • How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is
  • How to write mechanism-independent GSS-API code
  • A guide to GSS-API naming as compared to Kerberos principal naming
  • Using IAKERB
  • Delegating credentials
GH 2012-10-01
  • Available extensions
  • Thread safety
KR
  • Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection
Krb5 library guide
  • Kerberos prompter behavior
  • An introduction to ticket caches and keytabs and their corresponding APIs
KR under review
  • An advanced guide to the pre-auth mechanisms, FAST
  • An advanced guide to the principal manipulation and parsing
TY TBD
  • Thread safety
KR
  • Password change including the automatic internal support for password change on expired passwords if a prompter is provided
  • krb5_appdefault_* functions and their alternatives
Completed task Author Date Reviewer Reviewer Comments
Choosing security API
  • Acceptor naming - How to get servers to use any key in a keytab
GH 2012-03-01
  • Anonymous credentials
GH 2012-10-01
Developing plugins GH 2012-03-08
  • A guide to developing plugins
  • Overview of existing pluggable interfaces
ZT reviewed profile plugin
A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential TY 2012-04-27
MIT Kerberos features : quick facts ZT ongoing
How to build Kerberos from source ZT

Administration

task Proposed Author Target Date Reviewer Reviewer Comments
Introduction to Kerberos system
  • Man page
TH 2012-08-15 in progress
  • General overview
TH 2012-08-15
  • Intro for admins
TH 2012-08-15
  • Technical overview
TH 2012-07-15 in progress
Setting a new realm
  • Choosing backend: LDAP vs DB2
  • DNS configuration and SRV records - how they are used, in what order
KR
Choosing encryption types for principals TY 2012-12-14 under review
Upgrading a Kerberos infrastructure (order, backward compatibility)
Integration Kerberos with Login System
  • Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment
  • Validating Kerberos tickets
  • Clear text password over HTTPS
  • Configuring with pam_krb5 module
  • Storing/locating keytab
Cross-realm
  • cross-realm interaction with AD
  • Transitive trust
  • Referrals
Performance
  • Performance tuning tips
  • Performance tradeoffs
kadmin interface
  • Keying workstation/ host key setting
Using Smartcard with PKINIT
Kerberized ssh
  • Configuration
  • Cross-realm and ssh
A guide to principal naming basics and structure ZT 2013-03-01
Troubleshooting
  • Troubleshooting errors
ZT ongoing
  • Realm renaming
  • Forgot Kerberos Master Key
GH
Basic concepts (passwd policy, ticket )
Approaches to authorization -- centralized vs distributed, etc.


Completed task Author Date Reviewer Reviewer Comments
Replication ZT
Reverse DNS TY 2012-12-12
Selecting and configuring plugins GH 2012-03-15
Anonymity support GH 2012-10-01
Trace logging GH 2012-03-22
Using LDAP server for Kerberos backend ZT Ubuntu 10.4 (lucid)
Acceptable date and time formats ZT 2012-07-15
kadm5.acl man page ZT 2012-08-15

General

task Proposed Author Target Date Reviewer Reviewer Comments
Why Kerberos system is suitable for the internet, not only for the enterprise TY
Impact RC4 vulnerabilities on Kerberos TY

API documentation

Most commonly used API functions (in alphabetical order):

Tier 1 - Highest priority
Completed API Author Reviewer Date Reviewer Comments
krb5_build_principal [1] ZT GH
krb5_build_principal_alloc_va [2] ZT GH
krb5_build_principal_ext [3] ZT GH
krb5_cc_close [4] ZT GH
krb5_cc_default [5] ZT GH
krb5_cc_default_name [6] ZT GH
krb5_cc_destroy [7] ZT GH
krb5_cc_dup [8] ZT GH
krb5_cc_get_name [9] ZT GH
krb5_cc_get_principal [10] ZT GH
krb5_cc_get_type [11] ZT GH
krb5_cc_initialize [12] ZT GH
krb5_cc_new_unique [13] ZT GH
krb5_cc_resolve [14] ZT GH
krb5_change_password [15] ZT GH
krb5_free_context [16] ZT GH
krb5_free_error_message [17] ZT GH
krb5_free_principal [18] ZT GH
krb5_fwd_tgt_cred [19] ZT GH Needs example
krb5_get_default_realm [20] ZT GH
krb5_get_error_message [21] ZT GH
krb5_get_host_realm [22] ZT GH
krb5_get_credentials [23] ZT GH
krb5_get_fallback_host_realm [24] ZT GH
krb5_get_init_creds_keytab [25] ZT GH
krb5_get_init_creds_opt_alloc [26] ZT GH
krb5_get_init_creds_opt_free [27] ZT GH
krb5_get_init_creds_opt_get_fast_flags [28] ZT GH
krb5_get_init_creds_opt_init [29] ZT GH
krb5_get_init_creds_opt_set_address_list [30] ZT GH
krb5_get_init_creds_opt_set_anonymous [31] ZT GH
krb5_get_init_creds_opt_set_canonicalize [32] ZT GH
krb5_get_init_creds_opt_set_change_password_prompt [33] ZT GH
krb5_get_init_creds_opt_set_etype_list [34] ZT GH
krb5_get_init_creds_opt_set_expire_callback [35] ZT GH
krb5_get_init_creds_opt_set_fast_ccache [36] ZT GH
krb5_get_init_creds_opt_set_fast_ccache_name [37] ZT GH
krb5_get_init_creds_opt_set_fast_flags [38] ZT GH
krb5_get_init_creds_opt_set_forwardable [39] ZT GH
krb5_get_init_creds_opt_set_out_ccache [40] ZT GH
krb5_get_init_creds_opt_set_pa [41] ZT GH
krb5_get_init_creds_opt_set_preauth_list [42] ZT GH
krb5_get_init_creds_opt_set_proxiable [43] ZT GH
krb5_get_init_creds_opt_set_renew_life [44] ZT GH
krb5_get_init_creds_opt_set_salt [45] ZT GH
krb5_get_init_creds_opt_set_tkt_life [46] ZT GH
krb5_get_init_creds_password [47] ZT GH
krb5_get_profile [48] ZT GH
krb5_get_prompt_types [49] ZT GH
krb5_get_renewed_creds [50] ZT GH
krb5_get_validated_creds [51] ZT GH
krb5_init_context [52] ZT GH
krb5_init_secure_context [53] ZT GH
krb5_is_config_principal [54] ZT GH
krb5_is_thread_safe [55] ZT GH
krb5_kt_close [56] ZT GH
krb5_kt_default [57] ZT GH
krb5_kt_default_name [58] ZT GH
krb5_kt_get_name [59] ZT GH
krb5_kt_get_type [60] ZT GH
krb5_kt_resolve [61] ZT GH
krb5_kuserok [62] ZT GH
krb5_parse_name [63] ZT GH
krb5_parse_name_flags [64] ZT GH
krb5_principal_compare [65] ZT GH
krb5_principal_compare_any_realm [66] ZT GH
krb5_principal_compare_flags [67] ZT GH
krb5_prompter_posix [68] ZT GH
krb5_realm_compare [69] ZT GH
krb5_recvauth [70] ZT GH
krb5_recvauth_version [71] ZT GH
krb5_set_default_realm [72] ZT GH
krb5_set_password [73] ZT GH
krb5_set_password_using_ccache [74] ZT GH
krb5_set_principal_realm [75] ZT GH
krb5_set_trace_callback [76] ZT GH
krb5_set_trace_filename [77] ZT GH
krb5_sname_to_principal [78] ZT GH
krb5_unparse_name [79] ZT GH
krb5_unparse_name_ext [80] ZT GH
krb5_unparse_name_flags [81] ZT GH
krb5_unparse_name_flags_ext [82] ZT GH
krb5_us_timeofday [83] ZT GH
krb5_verify_authdata_kdc_issued [84] ZT GH

We may want to have more examples for some of the common API functions.

Manpage proofreading

manpage original reviewer comments
k5identity.5 src/gen-manpages/k5identity.M GH
k5login.5 src/gen-manpages/k5login.M GH
k5srvutil.1 src/kadmin/cli/k5srvutil.M GH
kadmin.1 src/kadmin/cli/kadmin.M GH
kadmind.8 src/kadmin/server/kadmind.M GH
kdb5_ldap_util.8 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M GH
kdb5_util.8 src/kadmin/dbutil/kdb5_util.M GH
kdc.conf.5 src/config-files/kdc.conf.M GH
kdestroy.1 src/clients/kdestroy/kdestroy.M GH
kinit.1 src/clients/kinit/kinit.M GH
kpasswd.1 src/clients/kpasswd/kpasswd.M GH
kprop.8 src/slave/kprop.M GH
kpropd.8 src/slave/kpropd.M GH
kproplog.8 src/slave/kproplog.M GH
krb5-send-pr.1 src/util/send-pr/send-pr.1 copyright issues. Removed from the documentation
krb5.conf.5 src/config-files/krb5.conf.M GH
krb5kdc.8 src/kdc/krb5kdc.M GH
ksu.1 src/clients/ksu/ksu.M GH needs rewrite
kswitch.1 src/clients/kswitch/kswitch.M GH
kvno.1 src/clients/kvno/kvno.M GH
sclient.1 src/appl/sample/sclient/sclient.M GH
sserver.8 src/appl/sample/sserver/sserver.M GH

Abbreviations

abbreviation full names?
GH Greg Hudson
KR Ken Raeburn
MIT MITKC group
NW Nico Williams
TH Thomas Hardjono
TY Tom Yu
ZT Zhanna Tsitkov