Can't reply on the wiki page, FAS is throwing a 500 server error when I try to log in.
On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jrez...@redhat.com> wrote: > = Features/LessBrittleKerberos = > https://fedoraproject.org/wiki/Features/LessBrittleKerberos > > Feature owner(s): Stef Walter <st...@redhat.com> > > Make kerberos in Fedora simpler to use by removing some of the brittleness > that are common failure points. In particular we remove the need for > kerberos > clients to sync their clocks, and remove the need to have reverse DNS > records > carefully setup for services. > > == Detailed description == > MIT kerberos 1.11 now contains work so that clients do not have to sync > their > system clocks with that of the KDC. A time offset is discovered during > preauth > and stored along with the local credentials. This removes a common point of > failure when using kerberos. > One concern, would this time offset be per server on the client, e.g. if people get used to this then a group of servers may all have varyingly wrong times (e.g. server A is 10 minutes fast, server B is 34 minutes slow and server C is only off by 2 seconds). Also mitm attacks again. > > Kerberos clients can optionally verify reverse DNS records for services > that > they connect to as a way of trying to identify which realm they belong to. > However in many cases these do not exist. Kerberos should fall back to it's > default behavior in that case. Failure to do this is a common point of > failure > when using kerberos. > would this for example cache data so that for example if the server has reverse DNS setup, then it stops woring the client warns the user (e.g. indicating a possible man in the middle attack)? > > Further enhancements will be included in kerberos 1.11: > > * http://k5wiki.kerberos.org/wiki/Projects/Responder (for 1.11) > * http://web.mit.edu/kerberos/krb5-latest/ > _______________________________________________ > devel-announce mailing list > devel-annou...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel-announce > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel -- Kurt Seifried k...@seifried.org
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
