1.7 planning: Collecting Projects to Estimate
Ken Raeburn
raeburn at MIT.EDU
Wed Jan 24 20:14:15 EST 2007
Here are a few more ideas...
KDC side:
Add an option to generate long, random salt strings on password
changes. This reduces the utility of precomputed password-to-key
dictionaries for environments where users do change their passwords
reasonably often.
Build KDC programs for Windows.
Better auditing: Make all KDC programs log all ticket requests (e.g.,
krb524, which is silent now) and database changes (every kadmin/
kpasswd change).
Add support for multiple master key versions (possibly of different
types) in database and for rolling upgrades, and test cases.
---
KDC address processing in libkrb5:
Cache getaddrinfo results on all platforms, to reduce lookups. This
requires rewriting some of the fake-getaddrinfo code.
Integrate the krb5 library's locate-service and send-to-address
functions, so we don't have to finish looking up the addresses of
every KDC before trying to contact any of them.
---
Testing:
Test kprop+kpropd, and that a slave KDC properly loads its newly
updated database.
More information about the krbdev
mailing list