logo_kerberos.gif

Release Meeting Minutes/2014-06-17

From K5Wiki
Jump to: navigation, search


Tony Acero, Viktor Dukhovni, Will Fiveash, Greg Hudson, Zhanna Tsitkov, Nico Williams, Tom Yu

Tom
Will, have you seen any DB2 corruption since we fixed the last big bug?
Will
Haven't asked people yet; will make a note.
Greg
Nico, Russ wants to know your preferred JSON lib.
Nico
libjq https://github.com/stedolan/jq
Nico
Have some changes to Heimdal (not pushed) to do capaths computation. Wanted to call jq from Heimdal, ran into problems with heimbase.

Firewalled realms

Viktor
Various scenarios where users ssh into DMZ machines -- DMZ has no connectivity to origin realm. Get and delegate krbtgt/target@target. Keeps origin creds from leaking into possibly less secure target realm.
Viktor
Selected realms get destination TGTs instead of origin TGTs forwarded; alternatively, white list realms that get origin TGTs.
Tom
Two pieces
  1. list of target realms to which to forward local target TGTs
  2. client lib on destination app server -- deal with the weird ccache

We think identifying the "starting TGT" in a ccache for this situation (client origin realm different from krbtgt/A@A) is helpful, probably using a ccache config entry.

Viktor
Java bug -- sometimes picks wrong krbtgt/A@A if there are multiple in cache.
Tom
Does hopping realms work? e.g. client@A ssh to DMZ realm B, then ssh to different DMZ realm C that can't talk to B?
Viktor
Should work.
Greg
Receive side might be better to implement first.
Tom
Need to coordinate how to structure the configuration settings.

DB2

Will
Sent mail re DB2 -- probably haven't seen that kind of corruption since that bug [krbdev.mit.edu #5880] was fixed.