Release Meeting Minutes/2012-01-24
From K5Wiki
Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu
gss_export_cred
Simo suggests a new API for exporting GSS creds.
- Greg
- Might be using a memory ccache or a file. Would have to serialize contents.
- Simo
- To use in GSS proxy.
- Tom
- consider e.g. nonexportable keys in hardware security modules
- Simo
- Stateless server for GSS proxy. Server could encrypt credentials in a long-term key to hand to the client.
- Tom
- So externalizing server state to client without client using them.
- Simo
- Also possibly for clients to use.
- Greg
- Resource consumptino... encryption, memory.
- Simo
- Also thinking about exporting partially initialized context.
- Greg
- See also IETF GSS preauth proposal.
- Tom
- Is statelessness a requirement?
- Simo
- Denials of service, memory leaks, etc. make stateless attractive.
- Tom
- Consider replays, reordering, etc.
- Greg
- Maybe 1.11, but we're not committing to anything just yet.
- Simo
- Standards?
- Greg
- Not for the token format.
- Tom
- Standards for API.
- Simo
- Use Kerberos initially... maybe GSS-EAP later?
- Greg
- Also define whether API or caller is responsible for encrypting the token.
verify_init_creds
- Will
- Started thread based on talking to a customer. Hostnames change. pam_krb5 in auth stack. Why not try every principal in the keytab?
- Greg
- Say system keytab has both host and http keys. Other keytab (containing only http key) readable by httpd could fake any principal.
- Greg
- Maybe try all or first "host" principal in keytab.
- Tom
- Either could be a krb5-1.10.x bugfix.