Release Meeting Minutes/2014-06-17
Tony Acero, Viktor Dukhovni, Will Fiveash, Greg Hudson, Zhanna Tsitkov, Nico Williams, Tom Yu
- Will, have you seen any DB2 corruption since we fixed the last big bug?
- Haven't asked people yet; will make a note.
- Nico, Russ wants to know your preferred JSON lib.
- libjq https://github.com/stedolan/jq
- Have some changes to Heimdal (not pushed) to do capaths computation. Wanted to call jq from Heimdal, ran into problems with heimbase.
- Various scenarios where users ssh into DMZ machines -- DMZ has no connectivity to origin realm. Get and delegate krbtgt/target@target. Keeps origin creds from leaking into possibly less secure target realm.
- Selected realms get destination TGTs instead of origin TGTs forwarded; alternatively, white list realms that get origin TGTs.
- Two pieces
- list of target realms to which to forward local target TGTs
- client lib on destination app server -- deal with the weird ccache
We think identifying the "starting TGT" in a ccache for this situation (client origin realm different from krbtgt/A@A) is helpful, probably using a ccache config entry.
- Java bug -- sometimes picks wrong krbtgt/A@A if there are multiple in cache.
- Does hopping realms work? e.g. client@A ssh to DMZ realm B, then ssh to different DMZ realm C that can't talk to B?
- Should work.
- Receive side might be better to implement first.
- Need to coordinate how to structure the configuration settings.
- Sent mail re DB2 -- probably haven't seen that kind of corruption since that bug [krbdev.mit.edu #5880] was fixed.