Release Meeting Minutes/2014-06-10
Thomas Hardjono, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Nico Williams, Tom Yu
Password history for LDAP back end
Simo mentions the LDAP password history attributes. This is for plaintext LDAP binds. Probably best to somehow encode something similar to what is currently used for principal key data storage and put in a new attribute.
Nico describes the use case. Client realm and target realm. Client does SSH to server in target realm. Hosts in target realm have no connectivity to client realm. Want to forward krbtgt/target@target instead of krbtgt/client@client for security reasons. Forwarding cross-realm krbtgt/target@client causes problems for renewal. We find it somewhat surprising that it's possible to use krbtgt/target@client to get krbtgt/target@target, but it might not be expressly forbidden by protocol spec. Simo would find it useful to selectively forward cross-realm tickets.
Several things are needed. Client needs to know when to delegate a cross-realm ticket rather than the normal TGT. Client library on server needs to know to start at target realm TGT when getting service tickets instead of cueing off the client principal's realm. Viktor will call in next week to describe more details.