logo_kerberos.gif

Difference between revisions of "Projects/Documentation Tasks"

From K5Wiki
Jump to: navigation, search
m
(Updated the list based on the Russ Allbery review of the topics)
Line 71: Line 71:
 
| <ul><li> Delegating credentials</ul>|| MIT || || ||
 
| <ul><li> Delegating credentials</ul>|| MIT || || ||
 
|-
 
|-
| <ul><li> Available extensions</ul>|| ZT || || ||
+
| <ul><li> Available extensions</ul>|| || || ||
 
|-
 
|-
 
| <ul><li> Thread safety</ul>|| || || ||
 
| <ul><li> Thread safety</ul>|| || || ||
  +
|-
  +
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||
 
|-
 
|-
 
| Developing plugins|| GH || || ||
 
| Developing plugins|| GH || || ||
Line 84: Line 86:
 
|-
 
|-
 
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || || ||
 
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || || ||
  +
|-
  +
| <ul><li> Kerberos prompter behavior</ul>|| || || ||
 
|-
 
|-
 
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| || || ||
 
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| || || ||
Line 92: Line 96:
 
|-
 
|-
 
| <ul><li> Thread safety</ul>|| || || ||
 
| <ul><li> Thread safety</ul>|| || || ||
  +
|-
  +
| <ul><li> Password change including the automatic internal support for password change on expired passwords if a prompter is provided</ul>|| || || ||
  +
|-
  +
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || ||
 
|-
 
|-
 
| MIT Kerberos features : quick facts || ZT || || || ongoing
 
| MIT Kerberos features : quick facts || ZT || || || ongoing
Line 115: Line 123:
 
|-
 
|-
 
|<ul><li>Replication</ul>|| || || ||
 
|<ul><li>Replication</ul>|| || || ||
  +
|-
  +
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| || || ||
 
|-
 
|-
 
| Integration Kerberos with Login System|| || || ||
 
| Integration Kerberos with Login System|| || || ||
  +
|-
  +
| <ul><li> Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment</ul>|| || || ||
 
|-
 
|-
 
| <ul><li> Validating Kerberos tickets</ul>|| || || ||
 
| <ul><li> Validating Kerberos tickets</ul>|| || || ||
Line 129: Line 141:
 
|-
 
|-
 
| <ul><li>cross-realm interaction with AD </ul>|| || || ||
 
| <ul><li>cross-realm interaction with AD </ul>|| || || ||
  +
|-
  +
| <ul><li> Transitive trust</ul>|| || || ||
  +
|-
  +
| <ul><li> Referrals</ul>|| || || ||
 
|-
 
|-
 
| Performance|| || || ||
 
| Performance|| || || ||
Line 136: Line 152:
 
| <ul><li> Performance tradeoffs</ul>|| || || ||
 
| <ul><li> Performance tradeoffs</ul>|| || || ||
 
|-
 
|-
| Keying workstation/ host key setting|| || || ||
+
| kadmin interface|| || || ||
  +
|-
  +
| <ul><li> Keying workstation/ host key setting</ul>|| || || ||
 
|-
 
|-
 
| Using Smartcard with PKINIT|| || || ||
 
| Using Smartcard with PKINIT|| || || ||
Line 157: Line 173:
 
|-
 
|-
 
| <ul><li>Trace logging</ul>||GH || || ||
 
| <ul><li>Trace logging</ul>||GH || || ||
  +
|-
  +
| <ul><li>Realm renaming </ul>|| || || ||
 
|-
 
|-
 
| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid)
 
| Using LDAP server for Kerberos backend|| ZT || || || Ubuntu 10.4 (lucid)

Revision as of 13:21, 27 September 2011

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.


Matrix of Document-Type VS Intended Readership
Doc-type/Reader Architectural Guide Setup & Config of Kerberos Admin & Operations of Kerberos Custom Build API Description API Details
End-users
Architects
System Admins
Application Developers
GSSAPI Developers
Kerberos Developers


Application development

task who writes? who reviews? reviewed? comments
Designing a new protocol, or extending existing one, to use GSS-API
Choosing security API
  • GSS-API vs SASL vs KRB5
  • A guide to the similarities and differences between Heimdal and MIT Kerberos API
GSS-API
  • A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues
  • How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is
  • How to write mechanism-independent GSS-API code
  • Acceptor naming - How to get servers to use any key in a keytab
GH
  • A guide to GSS-API naming as compared to Kerberos principal naming
  • Using IAKERB
  • Anonymous credentials
  • Delegating credentials
MIT
  • Available extensions
  • Thread safety
  • Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection
Developing plugins GH
  • A guide to developing plugins
  • Overview of existing pluggable interfaces
Krb5 library guide
  • A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential
TY
  • Kerberos prompter behavior
  • An introduction to ticket caches and keytabs and their corresponding APIs
  • An advanced guide to the pre-auth mechanisms, FAST
  • An advanced guide to the principal manipulation and parsing
TY
  • Thread safety
  • Password change including the automatic internal support for password change on expired passwords if a prompter is provided
  • krb5_appdefault_* functions and their alternatives
MIT Kerberos features : quick facts ZT ongoing


Administration

task who writes? who reviews? reviewed? comments
Setting a new realm
  • Choosing backend: LDAP vs DB2
  • Replication
  • DNS configuration and SRV records - how they are used, in what order
Integration Kerberos with Login System
  • Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment
  • Validating Kerberos tickets
  • Clear text password over HTTPS
  • Configuring with pam_krb5 module
  • Storing/locating keytab
Cross-realm
  • cross-realm interaction with AD
  • Transitive trust
  • Referrals
Performance
  • Performance tuning tips
  • Performance tradeoffs
kadmin interface
  • Keying workstation/ host key setting
Using Smartcard with PKINIT
Kerberized ssh
  • Configuration
  • Cross-realm and ssh
Selecting and configuring plugins GH
Anonymity support
A guide to principal naming basics and structure
Troubleshooting
  • Troubleshooting errors
ZT ongoing
  • Trace logging
GH
  • Realm renaming
Using LDAP server for Kerberos backend ZT Ubuntu 10.4 (lucid)


API documentation

Most commonly used API functions (in alphabetical order)

Tier 1 - Highest priority
API who writes? who reviews? reviewed? comments
krb5_build_principal [1] ZT GH
krb5_build_principal_alloc_va [2] ZT GH
krb5_build_principal_ext [3] ZT GH
krb5_cc_close [4] ZT GH
krb5_cc_default [5] ZT GH
krb5_cc_default_name [6] ZT GH
krb5_cc_destroy [7] ZT GH
krb5_cc_dup [8] ZT GH
krb5_cc_get_name [9] ZT GH
krb5_cc_get_principal [10] ZT GH
krb5_cc_get_type [11] ZT GH
krb5_cc_initialize [12] ZT GH
krb5_cc_new_unique [13] ZT GH
krb5_cc_resolve [14] ZT GH
krb5_change_password [15] ZT GH
krb5_free_context [16] ZT GH
krb5_free_error_message [17] ZT GH
krb5_free_principal [18] ZT GH
krb5_fwd_tgt_cred [19] ZT GH Needs example
krb5_get_default_realm [20] ZT GH
krb5_get_error_message [21] ZT GH
krb5_get_host_realm [22] ZT GH
krb5_get_credentials [23] ZT GH
krb5_get_fallback_host_realm [24] ZT GH
krb5_get_init_creds_keytab [25] ZT GH
krb5_get_init_creds_opt_alloc [26] ZT GH
krb5_get_init_creds_opt_free [27] ZT GH
krb5_get_init_creds_opt_get_fast_flags [28] ZT GH
krb5_get_init_creds_opt_init [29] ZT GH
krb5_get_init_creds_opt_set_address_list [30] ZT GH
krb5_get_init_creds_opt_set_anonymous [31] ZT GH
krb5_get_init_creds_opt_set_canonicalize [32] ZT GH
krb5_get_init_creds_opt_set_change_password_prompt [33] ZT GH
krb5_get_init_creds_opt_set_etype_list [34] ZT GH
krb5_get_init_creds_opt_set_expire_callback [35] ZT GH
krb5_get_init_creds_opt_set_fast_ccache [36] ZT GH
krb5_get_init_creds_opt_set_fast_ccache_name [37] ZT GH
krb5_get_init_creds_opt_set_fast_flags [38] ZT GH
krb5_get_init_creds_opt_set_forwardable [39] ZT GH
krb5_get_init_creds_opt_set_out_ccache [40] ZT GH
krb5_get_init_creds_opt_set_pa [41] ZT GH
krb5_get_init_creds_opt_set_preauth_list [42] ZT GH
krb5_get_init_creds_opt_set_proxiable [43] ZT GH
krb5_get_init_creds_opt_set_renew_life [44] ZT GH
krb5_get_init_creds_opt_set_salt [45] ZT GH
krb5_get_init_creds_opt_set_tkt_life [46] ZT GH
krb5_get_init_creds_password [47] ZT GH
krb5_get_profile [48] ZT GH
krb5_get_prompt_types [49] ZT GH
krb5_get_renewed_creds [50] ZT GH
krb5_get_validated_creds [51] ZT GH
krb5_init_context [52] ZT GH
krb5_init_secure_context [53] ZT GH
krb5_is_config_principal [54] ZT GH
krb5_is_thread_safe [55] ZT GH
krb5_kt_close [56] ZT GH
krb5_kt_default [57] ZT GH
krb5_kt_default_name [58] ZT GH
krb5_kt_get_name [59] ZT GH
krb5_kt_get_type [60] ZT GH
krb5_kt_resolve [61] ZT GH
krb5_kuserok [62] ZT GH
krb5_parse_name [63] ZT GH
krb5_parse_name_flags [64] ZT GH
krb5_principal_compare [65] ZT GH
krb5_principal_compare_any_realm [66] ZT GH
krb5_principal_compare_flags [67] ZT GH
krb5_prompter_posix [68] ZT GH
krb5_realm_compare [69] ZT GH
krb5_recvauth [70] ZT GH
krb5_recvauth_version [71] ZT GH
krb5_set_default_realm [72] ZT GH
krb5_set_password [73] ZT GH
krb5_set_password_using_ccache [74] ZT GH
krb5_set_principal_realm [75] ZT GH
krb5_set_trace_callback [76] ZT GH
krb5_set_trace_filename [77] ZT GH
krb5_sname_to_principal [78] ZT GH
krb5_unparse_name [79] ZT GH
krb5_unparse_name_ext [80] ZT GH
krb5_unparse_name_flags [81] ZT GH
krb5_unparse_name_flags_ext [82] ZT GH
krb5_us_timeofday [83] ZT GH
krb5_verify_authdata_kdc_issued [84] ZT GH

Abbreviations

abbreviation full names?
GH Greg Hudson
MIT MITKC group
TY Tom Yu
ZT Zhanna Tsitkova