Difference between revisions of "Projects/Documentation Tasks"
From K5Wiki
< Projects
m (Mention desire for examples of API usage) |
m (→Administration) |
||
(15 intermediate revisions by 4 users not shown) | |||
Line 5: | Line 5: | ||
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc. |
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc. |
||
− | |||
− | |||
⚫ | |||
− | |+ Matrix of Document-Type VS Intended Readership |
||
⚫ | |||
− | ! Doc-type/Reader |
||
− | ! Architectural Guide |
||
− | ! Setup & Config of Kerberos |
||
− | ! Admin & Operations of Kerberos |
||
− | ! Custom Build |
||
− | ! API Description |
||
− | ! API Details |
||
− | |- |
||
− | |- |
||
⚫ | |||
− | |- |
||
− | | Architects || || || || || || |
||
− | |- |
||
− | |System Admins || || || || || || |
||
− | |- |
||
− | |Application Developers || || || || || || |
||
− | |- |
||
− | |GSSAPI Developers || || || || || || |
||
− | |- |
||
− | |Kerberos Developers || || || || || || |
||
⚫ | |||
Line 45: | Line 19: | ||
|- |
|- |
||
|- |
|- |
||
− | | Designing a new protocol, or extending existing one, to use GSS-API || |
+ | | Designing a new protocol, or extending existing one, to use GSS-API || || || || |
|- |
|- |
||
| Choosing security API|| || || || |
| Choosing security API|| || || || |
||
|- |
|- |
||
− | | <ul><li> GSS-API vs SASL vs KRB5 </ul>|| |
+ | | <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || || |
|- |
|- |
||
− | | <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| |
+ | | <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || || |
|- |
|- |
||
| GSS-API || || || || |
| GSS-API || || || || |
||
|- |
|- |
||
− | | <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| |
+ | | <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || || |
|- |
|- |
||
− | | <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| |
+ | | <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || || |
|- |
|- |
||
− | | <ul><li> How to write mechanism-independent GSS-API code</ul>|| |
+ | | <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || || |
|- |
|- |
||
− | | <ul><li> |
+ | | <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || || |
− | |- |
||
− | | <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| NW || || || |
||
|- |
|- |
||
| <ul><li> Using IAKERB</ul>|| || || || |
| <ul><li> Using IAKERB</ul>|| || || || |
||
− | |- |
||
⚫ | |||
|- |
|- |
||
| <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || || |
| <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || || |
||
|- |
|- |
||
− | | <ul><li> Available extensions</ul>|| |
+ | | <ul><li> Available extensions</ul>|| || || || |
|- |
|- |
||
| <ul><li> Thread safety</ul>|| KR || || || |
| <ul><li> Thread safety</ul>|| KR || || || |
||
|- |
|- |
||
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || || |
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || || |
||
− | |- |
||
⚫ | |||
− | |- |
||
⚫ | |||
− | |- |
||
⚫ | |||
|- |
|- |
||
| Krb5 library guide|| || || || |
| Krb5 library guide|| || || || |
||
|- |
|- |
||
⚫ | |||
⚫ | |||
− | |- |
||
⚫ | |||
|- |
|- |
||
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || || under review |
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || || under review |
||
Line 98: | Line 62: | ||
|- |
|- |
||
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || || |
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || || |
||
⚫ | |||
⚫ | |||
+ | |||
⚫ | |||
+ | |+ |
||
+ | |- |
||
+ | ! Completed task |
||
+ | ! Author |
||
+ | ! Date |
||
+ | ! Reviewer |
||
+ | ! Reviewer Comments |
||
+ | |- |
||
+ | | Choosing security API|| || || || |
||
+ | |- |
||
+ | | <ul><li> Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH||2012-03-01|| || |
||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
|- |
|- |
||
| MIT Kerberos features : quick facts || ZT || ongoing || || |
| MIT Kerberos features : quick facts || ZT || ongoing || || |
||
|- |
|- |
||
− | | How to build Kerberos from source || ZT || || || |
+ | | How to build Kerberos from source || ZT || || || |
|- |
|- |
||
|} |
|} |
||
Line 118: | Line 107: | ||
| Introduction to Kerberos system || || || || |
| Introduction to Kerberos system || || || || |
||
|- |
|- |
||
− | |<ul><li>Man page </ul>|| TH || 2012- |
+ | |<ul><li>Man page </ul>|| TH || 2012-08-15|| || in progress |
|- |
|- |
||
− | |<ul><li>General overview</ul>|| TH ||2012- |
+ | |<ul><li>General overview</ul>|| TH ||2012-08-15 || || |
+ | |- |
||
+ | |<ul><li>Intro for admins</ul>|| TH ||2012-08-15 || || |
||
+ | |- |
||
+ | |<ul><li>Technical overview</ul>|| TH ||2012-07-15 || ||in progress |
||
|- |
|- |
||
|Setting a new realm|| || || || |
|Setting a new realm|| || || || |
||
|- |
|- |
||
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || || |
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || || |
||
− | |- |
||
− | |<ul><li>Replication</ul>|| ZT|| || ||ready for review |
||
|- |
|- |
||
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || || |
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || || |
||
|- |
|- |
||
− | | |
+ | | Choosing encryption types for principals|| TY|| 2012-12-14|| ||under review |
|- |
|- |
||
− | | Choosing encryption types for principals|| TY|| 2012-10-01|| || |
||
+ | | Upgrading a Kerberos infrastructure (order, backward compatibility) || || || || |
||
|- |
|- |
||
| Integration Kerberos with Login System|| || || || |
| Integration Kerberos with Login System|| || || || |
||
Line 140: | Line 127: | ||
| <ul><li> Validating Kerberos tickets</ul>|| || || || |
| <ul><li> Validating Kerberos tickets</ul>|| || || || |
||
|- |
|- |
||
− | | <ul><li> Clear text password over HTTPS </ul>|| |
+ | | <ul><li> Clear text password over HTTPS </ul>|| || || || |
|- |
|- |
||
− | | <ul><li> Configuring with pam_krb5 module</ul>|| |
+ | | <ul><li> Configuring with pam_krb5 module</ul>|| || || || |
|- |
|- |
||
| <ul><li> Storing/locating keytab</ul>|| || || || |
| <ul><li> Storing/locating keytab</ul>|| || || || |
||
Line 166: | Line 153: | ||
| Using Smartcard with PKINIT|| || || || |
| Using Smartcard with PKINIT|| || || || |
||
|- |
|- |
||
− | | Kerberized ssh|| |
+ | | Kerberized ssh|| || || || |
|- |
|- |
||
| <ul><li> Configuration</ul>|| || || || |
| <ul><li> Configuration</ul>|| || || || |
||
Line 172: | Line 159: | ||
| <ul><li>Cross-realm and ssh</ul>|| || || || |
| <ul><li>Cross-realm and ssh</ul>|| || || || |
||
|- |
|- |
||
⚫ | |||
⚫ | |||
− | |- |
||
⚫ | |||
− | |- |
||
⚫ | |||
|- |
|- |
||
| Troubleshooting|| || || || |
| Troubleshooting|| || || || |
||
|- |
|- |
||
| <ul><li>Troubleshooting errors</ul> || ZT || ongoing|| || |
| <ul><li>Troubleshooting errors</ul> || ZT || ongoing|| || |
||
− | |- |
||
⚫ | |||
|- |
|- |
||
| <ul><li>Realm renaming </ul>|| || || || |
| <ul><li>Realm renaming </ul>|| || || || |
||
|- |
|- |
||
⚫ | |||
+ | | <ul><li> Forgot Kerberos Master Key|| GH || || || |
||
|- |
|- |
||
| Basic concepts (passwd policy, ticket ) || || || || |
| Basic concepts (passwd policy, ticket ) || || || || |
||
Line 192: | Line 173: | ||
| Approaches to authorization -- centralized vs distributed, etc. || || || || |
| Approaches to authorization -- centralized vs distributed, etc. || || || || |
||
|- |
|- |
||
⚫ | |||
+ | |} |
||
+ | |||
+ | |||
+ | {| class="wikitable" |
||
+ | |+ |
||
|- |
|- |
||
⚫ | |||
+ | ! Completed task |
||
+ | ! Author |
||
+ | ! Date |
||
+ | ! Reviewer |
||
+ | ! Reviewer Comments |
||
+ | |- |
||
⚫ | |||
+ | |- |
||
+ | | Reverse DNS|| TY|| 2012-12-12|| || |
||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
⚫ | |||
+ | |- |
||
+ | |} |
||
+ | |||
+ | == General == |
||
+ | |||
+ | {| class="wikitable" |
||
+ | |+ |
||
+ | |- |
||
+ | ! task |
||
+ | ! Proposed Author |
||
+ | ! Target Date |
||
+ | ! Reviewer |
||
+ | ! Reviewer Comments |
||
+ | |- |
||
+ | | Why Kerberos system is suitable for the internet, not only for the enterprise || TY || || || |
||
+ | |- |
||
+ | | Impact RC4 vulnerabilities on Kerberos || TY || || || |
||
|- |
|- |
||
|} |
|} |
||
Line 200: | Line 222: | ||
== API documentation == |
== API documentation == |
||
⚫ | |||
+ | |||
⚫ | |||
{| class="wikitable" |
{| class="wikitable" |
||
|+ Tier 1 - Highest priority |
|+ Tier 1 - Highest priority |
||
|- |
|- |
||
− | ! API |
+ | ! Completed API |
− | ! |
+ | ! Author |
! Reviewer |
! Reviewer |
||
− | ! |
+ | ! Date |
! Reviewer Comments |
! Reviewer Comments |
||
|- |
|- |
||
Line 381: | Line 404: | ||
|- |
|- |
||
|} |
|} |
||
− | We may want to have more examples for some of the common API |
+ | We may want to have more examples for some of the common API functions. |
== Manpage proofreading == |
== Manpage proofreading == |
Latest revision as of 09:28, 5 June 2013
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Contents
Purpose
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.
Application development
task | Proposed Author | Target Date | Reviewer | Reviewer Comments |
---|---|---|---|---|
Designing a new protocol, or extending existing one, to use GSS-API | ||||
Choosing security API | ||||
|
||||
|
||||
GSS-API | ||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
GH | 2012-10-01 | ||
|
||||
|
KR | |||
|
||||
Krb5 library guide | ||||
|
||||
|
KR | under review | ||
|
||||
|
TY | TBD | ||
|
KR | |||
|
||||
|
Completed task | Author | Date | Reviewer | Reviewer Comments |
---|---|---|---|---|
Choosing security API | ||||
|
GH | 2012-03-01 | ||
|
GH | 2012-10-01 | ||
Developing plugins | GH | 2012-03-08 | ||
|
||||
|
ZT reviewed profile plugin | |||
A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential | TY | 2012-04-27 | ||
MIT Kerberos features : quick facts | ZT | ongoing | ||
How to build Kerberos from source | ZT |
Administration
task | Proposed Author | Target Date | Reviewer | Reviewer Comments |
---|---|---|---|---|
Introduction to Kerberos system | ||||
|
TH | 2012-08-15 | in progress | |
|
TH | 2012-08-15 | ||
|
TH | 2012-08-15 | ||
|
TH | 2012-07-15 | in progress | |
Setting a new realm | ||||
|
||||
|
KR | |||
Choosing encryption types for principals | TY | 2012-12-14 | under review | |
Upgrading a Kerberos infrastructure (order, backward compatibility) | ||||
Integration Kerberos with Login System | ||||
|
||||
|
||||
|
||||
|
||||
|
||||
Cross-realm | ||||
|
||||
|
||||
|
||||
Performance | ||||
|
||||
|
||||
kadmin interface | ||||
|
||||
Using Smartcard with PKINIT | ||||
Kerberized ssh | ||||
|
||||
|
||||
A guide to principal naming basics and structure | ZT | 2013-03-01 | ||
Troubleshooting | ||||
|
ZT | ongoing | ||
|
||||
|
GH | |||
Basic concepts (passwd policy, ticket ) | ||||
Approaches to authorization -- centralized vs distributed, etc. |
Completed task | Author | Date | Reviewer | Reviewer Comments |
---|---|---|---|---|
Replication | ZT | |||
Reverse DNS | TY | 2012-12-12 | ||
Selecting and configuring plugins | GH | 2012-03-15 | ||
Anonymity support | GH | 2012-10-01 | ||
Trace logging | GH | 2012-03-22 | ||
Using LDAP server for Kerberos backend | ZT | Ubuntu 10.4 (lucid) | ||
Acceptable date and time formats | ZT | 2012-07-15 | ||
kadm5.acl man page | ZT | 2012-08-15 |
General
task | Proposed Author | Target Date | Reviewer | Reviewer Comments |
---|---|---|---|---|
Why Kerberos system is suitable for the internet, not only for the enterprise | TY | |||
Impact RC4 vulnerabilities on Kerberos | TY |
API documentation
Most commonly used API functions (in alphabetical order):
Completed API | Author | Reviewer | Date | Reviewer Comments |
---|---|---|---|---|
krb5_build_principal [1] | ZT | GH | ||
krb5_build_principal_alloc_va [2] | ZT | GH | ||
krb5_build_principal_ext [3] | ZT | GH | ||
krb5_cc_close [4] | ZT | GH | ||
krb5_cc_default [5] | ZT | GH | ||
krb5_cc_default_name [6] | ZT | GH | ||
krb5_cc_destroy [7] | ZT | GH | ||
krb5_cc_dup [8] | ZT | GH | ||
krb5_cc_get_name [9] | ZT | GH | ||
krb5_cc_get_principal [10] | ZT | GH | ||
krb5_cc_get_type [11] | ZT | GH | ||
krb5_cc_initialize [12] | ZT | GH | ||
krb5_cc_new_unique [13] | ZT | GH | ||
krb5_cc_resolve [14] | ZT | GH | ||
krb5_change_password [15] | ZT | GH | ||
krb5_free_context [16] | ZT | GH | ||
krb5_free_error_message [17] | ZT | GH | ||
krb5_free_principal [18] | ZT | GH | ||
krb5_fwd_tgt_cred [19] | ZT | GH | Needs example | |
krb5_get_default_realm [20] | ZT | GH | ||
krb5_get_error_message [21] | ZT | GH | ||
krb5_get_host_realm [22] | ZT | GH | ||
krb5_get_credentials [23] | ZT | GH | ||
krb5_get_fallback_host_realm [24] | ZT | GH | ||
krb5_get_init_creds_keytab [25] | ZT | GH | ||
krb5_get_init_creds_opt_alloc [26] | ZT | GH | ||
krb5_get_init_creds_opt_free [27] | ZT | GH | ||
krb5_get_init_creds_opt_get_fast_flags [28] | ZT | GH | ||
krb5_get_init_creds_opt_init [29] | ZT | GH | ||
krb5_get_init_creds_opt_set_address_list [30] | ZT | GH | ||
krb5_get_init_creds_opt_set_anonymous [31] | ZT | GH | ||
krb5_get_init_creds_opt_set_canonicalize [32] | ZT | GH | ||
krb5_get_init_creds_opt_set_change_password_prompt [33] | ZT | GH | ||
krb5_get_init_creds_opt_set_etype_list [34] | ZT | GH | ||
krb5_get_init_creds_opt_set_expire_callback [35] | ZT | GH | ||
krb5_get_init_creds_opt_set_fast_ccache [36] | ZT | GH | ||
krb5_get_init_creds_opt_set_fast_ccache_name [37] | ZT | GH | ||
krb5_get_init_creds_opt_set_fast_flags [38] | ZT | GH | ||
krb5_get_init_creds_opt_set_forwardable [39] | ZT | GH | ||
krb5_get_init_creds_opt_set_out_ccache [40] | ZT | GH | ||
krb5_get_init_creds_opt_set_pa [41] | ZT | GH | ||
krb5_get_init_creds_opt_set_preauth_list [42] | ZT | GH | ||
krb5_get_init_creds_opt_set_proxiable [43] | ZT | GH | ||
krb5_get_init_creds_opt_set_renew_life [44] | ZT | GH | ||
krb5_get_init_creds_opt_set_salt [45] | ZT | GH | ||
krb5_get_init_creds_opt_set_tkt_life [46] | ZT | GH | ||
krb5_get_init_creds_password [47] | ZT | GH | ||
krb5_get_profile [48] | ZT | GH | ||
krb5_get_prompt_types [49] | ZT | GH | ||
krb5_get_renewed_creds [50] | ZT | GH | ||
krb5_get_validated_creds [51] | ZT | GH | ||
krb5_init_context [52] | ZT | GH | ||
krb5_init_secure_context [53] | ZT | GH | ||
krb5_is_config_principal [54] | ZT | GH | ||
krb5_is_thread_safe [55] | ZT | GH | ||
krb5_kt_close [56] | ZT | GH | ||
krb5_kt_default [57] | ZT | GH | ||
krb5_kt_default_name [58] | ZT | GH | ||
krb5_kt_get_name [59] | ZT | GH | ||
krb5_kt_get_type [60] | ZT | GH | ||
krb5_kt_resolve [61] | ZT | GH | ||
krb5_kuserok [62] | ZT | GH | ||
krb5_parse_name [63] | ZT | GH | ||
krb5_parse_name_flags [64] | ZT | GH | ||
krb5_principal_compare [65] | ZT | GH | ||
krb5_principal_compare_any_realm [66] | ZT | GH | ||
krb5_principal_compare_flags [67] | ZT | GH | ||
krb5_prompter_posix [68] | ZT | GH | ||
krb5_realm_compare [69] | ZT | GH | ||
krb5_recvauth [70] | ZT | GH | ||
krb5_recvauth_version [71] | ZT | GH | ||
krb5_set_default_realm [72] | ZT | GH | ||
krb5_set_password [73] | ZT | GH | ||
krb5_set_password_using_ccache [74] | ZT | GH | ||
krb5_set_principal_realm [75] | ZT | GH | ||
krb5_set_trace_callback [76] | ZT | GH | ||
krb5_set_trace_filename [77] | ZT | GH | ||
krb5_sname_to_principal [78] | ZT | GH | ||
krb5_unparse_name [79] | ZT | GH | ||
krb5_unparse_name_ext [80] | ZT | GH | ||
krb5_unparse_name_flags [81] | ZT | GH | ||
krb5_unparse_name_flags_ext [82] | ZT | GH | ||
krb5_us_timeofday [83] | ZT | GH | ||
krb5_verify_authdata_kdc_issued [84] | ZT | GH |
We may want to have more examples for some of the common API functions.
Manpage proofreading
manpage | original | reviewer | comments |
---|---|---|---|
k5identity.5 | src/gen-manpages/k5identity.M | GH | |
k5login.5 | src/gen-manpages/k5login.M | GH | |
k5srvutil.1 | src/kadmin/cli/k5srvutil.M | GH | |
kadmin.1 | src/kadmin/cli/kadmin.M | GH | |
kadmind.8 | src/kadmin/server/kadmind.M | GH | |
kdb5_ldap_util.8 | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M | GH | |
kdb5_util.8 | src/kadmin/dbutil/kdb5_util.M | GH | |
kdc.conf.5 | src/config-files/kdc.conf.M | GH | |
kdestroy.1 | src/clients/kdestroy/kdestroy.M | GH | |
kinit.1 | src/clients/kinit/kinit.M | GH | |
kpasswd.1 | src/clients/kpasswd/kpasswd.M | GH | |
kprop.8 | src/slave/kprop.M | GH | |
kpropd.8 | src/slave/kpropd.M | GH | |
kproplog.8 | src/slave/kproplog.M | GH | |
krb5-send-pr.1 | src/util/send-pr/send-pr.1 | copyright issues. Removed from the documentation | |
krb5.conf.5 | src/config-files/krb5.conf.M | GH | |
krb5kdc.8 | src/kdc/krb5kdc.M | GH | |
ksu.1 | src/clients/ksu/ksu.M | GH | needs rewrite |
kswitch.1 | src/clients/kswitch/kswitch.M | GH | |
kvno.1 | src/clients/kvno/kvno.M | GH | |
sclient.1 | src/appl/sample/sclient/sclient.M | GH | |
sserver.8 | src/appl/sample/sserver/sserver.M | GH |
Abbreviations
abbreviation | full names? |
---|---|
GH | Greg Hudson |
KR | Ken Raeburn |
MIT | MITKC group |
NW | Nico Williams |
TH | Thomas Hardjono |
TY | Tom Yu |
ZT | Zhanna Tsitkov |