#1096 Clock skew in krb5 auth should result in offline operation, not failure

Created 5 years ago by sgallagh
Modified a day ago

Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428

Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.

We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.

Fields changed

coverity: =>
description: Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428

Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.

We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue. => Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428

Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.

We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.
milestone: NEEDS_TRIAGE => SSSD 1.9.0
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Kerberos improvements

Fields changed

feature_milestone: =>
proposed_priority: => Nice to have

Per Stephen's suggestion I am bumping the priority.

proposed_priority: Nice to have => Important

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta

Fields changed

priority: major => minor

Fields changed

priority: minor => major

Fields changed

selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Test and if done close otherwise re-triage.

changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
milestone: SSSD 1.13 beta => Interim Bucket
review: => 0

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

  • master: 83011d97d17bd00e99ccf1e0302167a6bc0db84e

owner: somebody => jhrozek

Fields changed

resolution: => fixed
status: new => closed

a day ago

Metadata Update from @sgallagh:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12 beta

Login to comment on this ticket.

defect

Kerberos Provider

1.6.3

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=756428

0

0

Not need

cancel