Release Meeting Minutes/2012-01-24

Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu

gss_export_cred

Simo suggests a new API for exporting GSS creds.

Greg: Might be using a memory ccache or a file. Would have to serialize contents.
Simo: To use in GSS proxy.
Tom: consider e.g. nonexportable keys in hardware security modules
Simo: Stateless server for GSS proxy. Server could encrypt credentials in a long-term key to hand to the client.
Tom: So externalizing server state to client without client using them.
Simo: Also possibly for clients to use.
Greg: Resource consumptino... encryption, memory.
Simo: Also thinking about exporting partially initialized context.
Greg: See also IETF GSS preauth proposal.
Tom: Is statelessness a requirement?
Simo: Denials of service, memory leaks, etc. make stateless attractive.
Tom: Consider replays, reordering, etc.
Greg: Maybe 1.11, but we're not committing to anything just yet.
Simo: Standards?
Greg: Not for the token format.
Tom: Standards for API.
Simo: Use Kerberos initially... maybe GSS-EAP later?
Greg: Also define whether API or caller is responsible for encrypting the token.

Will: Started thread based on talking to a customer. Hostnames change. pam_krb5 in auth stack. Why not try every principal in the keytab?
Greg: Say system keytab has both host and http keys. Other keytab (containing only http key) readable by httpd could fake any principal.
Greg: Maybe try all or first "host" principal in keytab.
Tom: Either could be a krb5-1.10.x bugfix.