1.7 planning: Collecting Projects to Estimate

Will Fiveash William.Fiveash at sun.com
Wed Jan 31 17:06:58 EST 2007

Sun suggestions for MIT 1.7 seed projects:

- fallback admin server for multi-master

    Support a list of systems for the admin_server krb5.conf parameter
    with fallback behavior if a particular admin server does not

- ticket revocation

    The ability to revoke TGTs issued prior to some point in time would
    be good in the case of TGT compromise.  The idea is that instead of
    disabling someone's principal, the password/long term key could be
    changed and a command to revoke current TGT's would be run.  Nico
    notes that this requires a protocol but I thought I'd bring it up

    I also note that currently once a user has a TGT they can use that
    to renew their TGT or acquire service tickets even if the user's
    principal is expired or deleted from the KDB completely.  I plan on
    opening a bug on this.

- master key enctype migration

    Support for changing the master key enctype and migrating the KDB
    entries to be encrypted with the new key.

- safe default realm determination without DNS

    By default, if there is no explicit realm config, use the local
    host's domain information to determine the default realm by first
    trying to locate a KDC for a realm based on all components of the
    domain excluding the hostname (converting domain to all uppercase).
    If the KDC is not found, remove a leftmost domain component and try
    to locate a KDC for a realm based on that.  The loop continues until
    either a KDC is found or there is only one domain component left
    (the realm requires a minimum of two components).

    Example for foo.bar.sun.com:  first an attempt to locate a KDC for
    the realm BAR.SUN.COM would be made.  If a KDC was not found then
    the realm SUN.COM would be tried.  If a KDC was still not found then
    an error would be returned.

- login policy plugin support

    Provide support for the KDC to use a login policy plugin to
    determine if TGT should be issued and also log TGT issue success and
    failures.  The idea is this could allow vendor specific login policy
    control over TGT issuance with the vendor specific code in an plugin
    external to the KDC code.  The KDC code modification would be a
    plugin hook that the KDC would call before responding to a TGT
    request and another hook to record either a successful TGT issuance
    or failure (say if preauth verification fails).

- KDC principal alias support

    The KDC should support multiple principal aliases for a particular
    set principal keys. One use would be for a service on a system with
    multiple hostnames.  One set of keys could be generated for that
    system and the other service princ names could be aliases.

- host based administrative authz

    kadmind support for allowing an admin on a system that has a host
    service principal to authenticate using the host service principal
    key in the keytab and be able to create and manage other principals
    that include that host component (host component must be present).
    Example: a system foo.bar.sun.com has host/foo.bar.sun.com at SUN.COM
    keys in it's keytab.  The admin is then able to:

    kadmin -k -p host/foo.bar.sun.com -q 'addprinc nfs/foo.bar.sun.com'

- distributed global rcache

    Support for a global rcache such that multiple processes and systems
    could detect replays when sharing a service principal name.  This is
    useful for cluster environments where multiple systems are providing
    a service.
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070131/f9aa63d3/attachment.bin

More information about the krbdev mailing list