1.7 planning: Collecting Projects to Estimate

Ken Raeburn raeburn at MIT.EDU
Wed Jan 24 20:14:15 EST 2007

Here are a few more ideas...

KDC side:

Add an option to generate long, random salt strings on password  
changes.  This reduces the utility of precomputed password-to-key  
dictionaries for environments where users do change their passwords  
reasonably often.

Build KDC programs for Windows.

Better auditing: Make all KDC programs log all ticket requests (e.g.,  
krb524, which is silent now) and database changes (every kadmin/ 
kpasswd change).

Add support for multiple master key versions (possibly of different  
types) in database and for rolling upgrades, and test cases.


KDC address processing in libkrb5:

Cache getaddrinfo results on all platforms, to reduce lookups.  This  
requires rewriting some of the fake-getaddrinfo code.

Integrate the krb5 library's locate-service and send-to-address  
functions, so we don't have to finish looking up the addresses of  
every KDC before trying to contact any of them.



Test kprop+kpropd, and that a slave KDC properly loads its newly  
updated database.

More information about the krbdev mailing list