From Fedora Project Wiki

No edit summary
Line 16: Line 16:


A major new features in Kerberos 5 is the support for renewable tickets along with a maximum renewable lifetime. These are controlled by the administrator of the KDC. By deleting the credentials cache on reboot you have killed a major feature of Kerberos 5 and have enforced your own judgement and policy choice as superior of the KDC admin of a site. I disagree with cache not surviving a reboot. --[[User:Dkelson|Dkelson]] 21:15, 10 April 2012 (UTC)
A major new features in Kerberos 5 is the support for renewable tickets along with a maximum renewable lifetime. These are controlled by the administrator of the KDC. By deleting the credentials cache on reboot you have killed a major feature of Kerberos 5 and have enforced your own judgement and policy choice as superior of the KDC admin of a site. I disagree with cache not surviving a reboot. --[[User:Dkelson|Dkelson]] 21:15, 10 April 2012 (UTC)
This change is for the default location. If you feel it is necessary for your environment to use a different, persistent location, that will still be available and configurable. That said, this arrangement still allows for renewable tickets throughout the renewable lifetime so long as the client machine is not rebooted (suspend and hibernate also not constituting a reboot).
[[User:Sgallagh|Sgallagh]] 22:48, 10 April 2012 (UTC)

Revision as of 22:48, 10 April 2012

Would it make sense to create a #define that sets the ccache format so that if this ever changes again all that would be required is a respin (assuming all packages use that define)?

selinux

No mention of selinux dependencies? --Ktdreyer 02:47, 24 February 2012 (UTC)


"...and simplify locating the caches for NFSv4." This seems not to be explained in the feature page.--Mitr 12:12, 19 March 2012 (UTC)

I'm not sure it's an appropriate level of detail, but what I was referring to was gssd. Right now, it does something terrible: it trolls through /tmp looking for files that match krb5cc_UID* and then tests each one that it is capable of opening to see if it has live credentials. With the move to /run/user, gssd no longer will need to do this. It will instead be able to know with absolute certainty which credential cache it is supposed to be using. -- Sgallagh 12:15, 19 March 2012 (UTC)

Inflexible Policy

"The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials)."

A major new features in Kerberos 5 is the support for renewable tickets along with a maximum renewable lifetime. These are controlled by the administrator of the KDC. By deleting the credentials cache on reboot you have killed a major feature of Kerberos 5 and have enforced your own judgement and policy choice as superior of the KDC admin of a site. I disagree with cache not surviving a reboot. --Dkelson 21:15, 10 April 2012 (UTC)

This change is for the default location. If you feel it is necessary for your environment to use a different, persistent location, that will still be available and configurable. That said, this arrangement still allows for renewable tickets throughout the renewable lifetime so long as the client machine is not rebooted (suspend and hibernate also not constituting a reboot). Sgallagh 22:48, 10 April 2012 (UTC)