logo_kerberos.gif

Difference between revisions of "Projects/Documentation Tasks"

From K5Wiki
Jump to: navigation, search
m
m (status update for some completed topics)
Line 67: Line 67:
 
| <ul><li> Using IAKERB</ul>|| || || ||
  
| <ul><li> Using IAKERB</ul>|| || || ||
 
|-
  
|-
| <ul><li> Anonymous credentials</ul>|| GH ||2012-10-01 || || ready for review
 +
| <ul><li> Anonymous credentials</ul>|| GH ||2012-10-01 || || DONE
 
|-
  
|-
 
| <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || ||
  
| <ul><li> Delegating credentials</ul>|| GH ||2012-10-01 || ||
Line 77: Line 77:
 
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||
  
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||
 
|-
  
|-
| Developing plugins|| GH ||2012-03-08|| || ready for review
 +
| Developing plugins|| GH ||2012-03-08|| || DONE
 
|-
  
|-
 
| <ul><li> A guide to developing plugins </ul>|| || || || DONE
  
| <ul><li> A guide to developing plugins </ul>|| || || || DONE
Line 85: Line 85:
 
| Krb5 library guide|| || || ||
  
| Krb5 library guide|| || || ||
 
|-
  
|-
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || 2012-04-27 ||need examples ||
 +
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || 2012-04-27 ||need examples ||DONE
 
|-
  
|-
 
| <ul><li> Kerberos prompter behavior</ul>|| NW || || ||
  
| <ul><li> Kerberos prompter behavior</ul>|| NW || || ||
Line 136: Line 136:
 
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || ||
  
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| KR || || ||
 
|-
  
|-
| Reverse DNS|| TY|| 2012-12-12|| || under review
 +
| Reverse DNS|| TY|| 2012-12-12|| || DONE
 
|-
  
|-
| Choosing encryption types for principals|| TY|| 2012-12-14|| ||
 +
| Choosing encryption types for principals|| TY|| 2012-12-14|| ||under review
 
|-
  
|-
 
| Integration Kerberos with Login System|| || || ||
  
| Integration Kerberos with Login System|| || || ||
Line 180: Line 180:
 
| Selecting and configuring plugins|| GH ||2012-03-15|| || DONE
  
| Selecting and configuring plugins|| GH ||2012-03-15|| || DONE
 
|-
  
|-
| Anonymity support|| GH ||2012-10-01 || || under review
 +
| Anonymity support|| GH ||2012-10-01 || || DONE
 
|-
  
|-
 
| A guide to principal naming basics and structure|| || || ||
  
| A guide to principal naming basics and structure|| || || ||

Revision as of 13:24, 26 December 2012

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.


Matrix of Document-Type VS Intended Readership
Doc-type/Reader Architectural Guide Setup & Config of Kerberos Admin & Operations of Kerberos Custom Build API Description API Details
End-users
Architects
System Admins
Application Developers
GSSAPI Developers
Kerberos Developers


Application development

task Proposed Author Target Date Reviewer Reviewer Comments
Designing a new protocol, or extending existing one, to use GSS-API NW
Choosing security API
  • GSS-API vs SASL vs KRB5
NW
  • A guide to the similarities and differences between Heimdal and MIT Kerberos API
NW
GSS-API
  • A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues
 NW
  • How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is
NW
  • How to write mechanism-independent GSS-API code
 NW
  • Acceptor naming - How to get servers to use any key in a keytab
 GH 2012-03-01 DONE
  • A guide to GSS-API naming as compared to Kerberos principal naming
 NW
  • Using IAKERB
  • Anonymous credentials
 GH 2012-10-01 DONE
  • Delegating credentials
 GH 2012-10-01
  • Available extensions
 NW
  • Thread safety
 KR
  • Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection
Developing plugins GH 2012-03-08 DONE
  • A guide to developing plugins
DONE
  • Overview of existing pluggable interfaces
ZT reviewed profile plugin DONE
Krb5 library guide
  • A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential
 TY 2012-04-27 need examples DONE
  • Kerberos prompter behavior
 NW
  • An introduction to ticket caches and keytabs and their corresponding APIs
KR under review
  • An advanced guide to the pre-auth mechanisms, FAST
  • An advanced guide to the principal manipulation and parsing
 TY TBD
  • Thread safety
 KR
  • Password change including the automatic internal support for password change on expired passwords if a prompter is provided
  • krb5_appdefault_* functions and their alternatives
MIT Kerberos features : quick facts ZT ongoing DONE
How to build Kerberos from source ZT DONE

Administration

task Proposed Author Target Date Reviewer Reviewer Comments
Introduction to Kerberos system
  • Man page
TH 2012-08-15 in progress
  • General overview
 TH 2012-08-15
  • Intro for admins
 TH 2012-08-15
  • Technical overview
 TH 2012-07-15 in progress
Setting a new realm
  • Choosing backend: LDAP vs DB2
  • Replication
 ZT DONE
  • DNS configuration and SRV records - how they are used, in what order
 KR
Reverse DNS TY 2012-12-12 DONE
Choosing encryption types for principals TY 2012-12-14 under review
Integration Kerberos with Login System
  • Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment
  • Validating Kerberos tickets
  • Clear text password over HTTPS
NW
  • Configuring with pam_krb5 module
 NW
  • Storing/locating keytab
Cross-realm
  • cross-realm interaction with AD
  • Transitive trust
  • Referrals
Performance
  • Performance tuning tips
  • Performance tradeoffs
kadmin interface
  • Keying workstation/ host key setting
Using Smartcard with PKINIT
Kerberized ssh NW
  • Configuration
  • Cross-realm and ssh
Selecting and configuring plugins GH 2012-03-15 DONE
Anonymity support GH 2012-10-01 DONE
A guide to principal naming basics and structure
Troubleshooting
  • Troubleshooting errors
 ZT ongoing
  • Trace logging
 GH 2012-03-22 DONE
  • Realm renaming
Using LDAP server for Kerberos backend ZT Ubuntu 10.4 (lucid) DONE
Basic concepts (passwd policy, ticket )
Approaches to authorization -- centralized vs distributed, etc.
Acceptable date and time formats ZT 2012-07-15 DONE
kadm5.acl man page ZT 2012-08-15 DONE

API documentation

Most commonly used API functions (in alphabetical order)

Tier 1 - Highest priority
API Proposed Author Reviewer Target Date Reviewer Comments
krb5_build_principal [1] ZT GH
krb5_build_principal_alloc_va [2] ZT GH
krb5_build_principal_ext [3] ZT GH
krb5_cc_close [4] ZT GH
krb5_cc_default [5] ZT GH
krb5_cc_default_name [6] ZT GH
krb5_cc_destroy [7] ZT GH
krb5_cc_dup [8] ZT GH
krb5_cc_get_name [9] ZT GH
krb5_cc_get_principal [10] ZT GH
krb5_cc_get_type [11] ZT GH
krb5_cc_initialize [12] ZT GH
krb5_cc_new_unique [13] ZT GH
krb5_cc_resolve [14] ZT GH
krb5_change_password [15] ZT GH
krb5_free_context [16] ZT GH
krb5_free_error_message [17] ZT GH
krb5_free_principal [18] ZT GH
krb5_fwd_tgt_cred [19] ZT GH Needs example
krb5_get_default_realm [20] ZT GH
krb5_get_error_message [21] ZT GH
krb5_get_host_realm [22] ZT GH
krb5_get_credentials [23] ZT GH
krb5_get_fallback_host_realm [24] ZT GH
krb5_get_init_creds_keytab [25] ZT GH
krb5_get_init_creds_opt_alloc [26] ZT GH
krb5_get_init_creds_opt_free [27] ZT GH
krb5_get_init_creds_opt_get_fast_flags [28] ZT GH
krb5_get_init_creds_opt_init [29] ZT GH
krb5_get_init_creds_opt_set_address_list [30] ZT GH
krb5_get_init_creds_opt_set_anonymous [31] ZT GH
krb5_get_init_creds_opt_set_canonicalize [32] ZT GH
krb5_get_init_creds_opt_set_change_password_prompt [33] ZT GH
krb5_get_init_creds_opt_set_etype_list [34] ZT GH
krb5_get_init_creds_opt_set_expire_callback [35] ZT GH
krb5_get_init_creds_opt_set_fast_ccache [36] ZT GH
krb5_get_init_creds_opt_set_fast_ccache_name [37] ZT GH
krb5_get_init_creds_opt_set_fast_flags [38] ZT GH
krb5_get_init_creds_opt_set_forwardable [39] ZT GH
krb5_get_init_creds_opt_set_out_ccache [40] ZT GH
krb5_get_init_creds_opt_set_pa [41] ZT GH
krb5_get_init_creds_opt_set_preauth_list [42] ZT GH
krb5_get_init_creds_opt_set_proxiable [43] ZT GH
krb5_get_init_creds_opt_set_renew_life [44] ZT GH
krb5_get_init_creds_opt_set_salt [45] ZT GH
krb5_get_init_creds_opt_set_tkt_life [46] ZT GH
krb5_get_init_creds_password [47] ZT GH
krb5_get_profile [48] ZT GH
krb5_get_prompt_types [49] ZT GH
krb5_get_renewed_creds [50] ZT GH
krb5_get_validated_creds [51] ZT GH
krb5_init_context [52] ZT GH
krb5_init_secure_context [53] ZT GH
krb5_is_config_principal [54] ZT GH
krb5_is_thread_safe [55] ZT GH
krb5_kt_close [56] ZT GH
krb5_kt_default [57] ZT GH
krb5_kt_default_name [58] ZT GH
krb5_kt_get_name [59] ZT GH
krb5_kt_get_type [60] ZT GH
krb5_kt_resolve [61] ZT GH
krb5_kuserok [62] ZT GH
krb5_parse_name [63] ZT GH
krb5_parse_name_flags [64] ZT GH
krb5_principal_compare [65] ZT GH
krb5_principal_compare_any_realm [66] ZT GH
krb5_principal_compare_flags [67] ZT GH
krb5_prompter_posix [68] ZT GH
krb5_realm_compare [69] ZT GH
krb5_recvauth [70] ZT GH
krb5_recvauth_version [71] ZT GH
krb5_set_default_realm [72] ZT GH
krb5_set_password [73] ZT GH
krb5_set_password_using_ccache [74] ZT GH
krb5_set_principal_realm [75] ZT GH
krb5_set_trace_callback [76] ZT GH
krb5_set_trace_filename [77] ZT GH
krb5_sname_to_principal [78] ZT GH
krb5_unparse_name [79] ZT GH
krb5_unparse_name_ext [80] ZT GH
krb5_unparse_name_flags [81] ZT GH
krb5_unparse_name_flags_ext [82] ZT GH
krb5_us_timeofday [83] ZT GH
krb5_verify_authdata_kdc_issued [84] ZT GH

We may want to have more examples for some of the common API functions.

Manpage proofreading

manpage original reviewer comments
k5identity.5 src/gen-manpages/k5identity.M GH
k5login.5 src/gen-manpages/k5login.M GH
k5srvutil.1 src/kadmin/cli/k5srvutil.M GH
kadmin.1 src/kadmin/cli/kadmin.M GH
kadmind.8 src/kadmin/server/kadmind.M GH
kdb5_ldap_util.8 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M GH
kdb5_util.8 src/kadmin/dbutil/kdb5_util.M GH
kdc.conf.5 src/config-files/kdc.conf.M GH
kdestroy.1 src/clients/kdestroy/kdestroy.M GH
kinit.1 src/clients/kinit/kinit.M GH
kpasswd.1 src/clients/kpasswd/kpasswd.M GH
kprop.8 src/slave/kprop.M GH
kpropd.8 src/slave/kpropd.M GH
kproplog.8 src/slave/kproplog.M GH
krb5-send-pr.1 src/util/send-pr/send-pr.1 copyright issues. Removed from the documentation
krb5.conf.5 src/config-files/krb5.conf.M GH
krb5kdc.8 src/kdc/krb5kdc.M GH
ksu.1 src/clients/ksu/ksu.M GH needs rewrite
kswitch.1 src/clients/kswitch/kswitch.M GH
kvno.1 src/clients/kvno/kvno.M GH
sclient.1 src/appl/sample/sclient/sclient.M GH
sserver.8 src/appl/sample/sserver/sserver.M GH

Abbreviations

abbreviation full names?
GH Greg Hudson
KR Ken Raeburn
MIT MITKC group
NW Nico Williams
TH Thomas Hardjono
TY Tom Yu
ZT Zhanna Tsitkov
Retrieved from "https://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&oldid=5019"