logo_kerberos.gif

Release Meeting Minutes/2012-01-24

From K5Wiki
Jump to: navigation, search


Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu

gss_export_cred

Simo suggests a new API for exporting GSS creds.

Greg
Might be using a memory ccache or a file. Would have to serialize contents.
Simo
To use in GSS proxy.
Tom
consider e.g. nonexportable keys in hardware security modules
Simo
Stateless server for GSS proxy. Server could encrypt credentials in a long-term key to hand to the client.
Tom
So externalizing server state to client without client using them.
Simo
Also possibly for clients to use.
Greg
Resource consumptino... encryption, memory.
Simo
Also thinking about exporting partially initialized context.
Greg
See also IETF GSS preauth proposal.
Tom
Is statelessness a requirement?
Simo
Denials of service, memory leaks, etc. make stateless attractive.
Tom
Consider replays, reordering, etc.
Greg
Maybe 1.11, but we're not committing to anything just yet.
Simo
Standards?
Greg
Not for the token format.
Tom
Standards for API.
Simo
Use Kerberos initially... maybe GSS-EAP later?
Greg
Also define whether API or caller is responsible for encrypting the token.

verify_init_creds

Will
Started thread based on talking to a customer. Hostnames change. pam_krb5 in auth stack. Why not try every principal in the keytab?
Greg
Say system keytab has both host and http keys. Other keytab (containing only http key) readable by httpd could fake any principal.
Greg
Maybe try all or first "host" principal in keytab.
Tom
Either could be a krb5-1.10.x bugfix.