logo_kerberos.gif

Difference between revisions of "Ops feedback notes 2014-11-04"

From K5Wiki
Jump to: navigation, search
(New page: {{opsnotes|2014}} ==FIPS 140== Often people wave hands and say their Kerberos installation is "LoA 2". Need cert-based to get higher LoAs. Using cert-based auth for more sensitive stuf...)
 
(No difference)

Latest revision as of 18:41, 6 November 2014


FIPS 140

Often people wave hands and say their Kerberos installation is "LoA 2". Need cert-based to get higher LoAs. Using cert-based auth for more sensitive stuff. PKINIT for higher LoAs for Kerberos is interesting. Smart Card Windows login to ssh to Unix systems. Hop-by-hop forwarding of agent connection, etc. There are PuTTY patches for GSS-keyex with cascading creds.

Devops

Often sites will do customized builds in-house. For testing, some have QA environments that duplicate entire production KDC setup; others incrementally stage software changes via slave KDCs. It's best to allow for the testing-slave approach because full environment duplication is expensive.