Learn more about these different git repos.
Other Git URLs
http://tools.ietf.org/wg/krb-wg/draft-ietf-krb-wg-preauth-framework/ describes a method of using a TGT to protect the privacy of the portions of a KDC request which are traditionally sent in plaintext (flexible authentication secure tunneling, or FAST). Because it encrypts the entire client request, this also establishes a way to tunnel data which can't safely be sent in plaintext, but which otherwise would be sufficient for authenticating the user (data provided by OTP tokens is a frequently-mentioned example).
krb5 1.7 added the krb5_get_init_creds_opt_set_fast_ccache_name() function to pass the library the name of a ccache which contains a TGT (typically one that's been obtained using keys from a local keytab file, or anonymously) to use for this purpose. When it's used, however, the client starts to require that the KDC also supports FAST.
While, for that reason, I doubt we'd want to turn it on by default universally, it'd be handy if we could provide admins with a way to ask sssd to use FAST.
Fields changed
owner: somebody => sbose
milestone: SSSD Deferred => SSSD 1.1
milestone: SSSD 1.1 => SSSD Deferred
According to Simo: Sam Hartman claims 1.8 library automatically fallback if FAST is not supported by the KDC. Then it seems a good candidate for 1.4
milestone: SSSD Deferred => NEEDS_TRIAGE
As you mention, with 1.8 things are indeed different -- FAST is not required just because you've set a ccache location. That behavior can be toggled on with krb5_get_init_creds_opt_set_fast_flags(KRB5_FAST_REQUIRED).
milestone: NEEDS_TRIAGE => SSSD 1.4.0
milestone: SSSD 1.5.0 => NEEDS_TRIAGE
component: SSSD => Kerberos Provider
Fedora 14 has MIT Kerberos 1.8 and as mentioned earlier FAST can be made optional with this release. I suggest the we should add FAST support for sssd 1.5 based on a configure check if krb5_get_init_creds_opt_set_fast_flags() and maybe KRB5_FAST_REQUIRED are available.
We need to decide how we want to handle the two options to option the TGT needed for FAST. Not all KDC may support anonymous access and not all clients may have keytab which can be used. I suggest to add another option here and if it is not set we try first anonymously and then with the keytab, if available. Depending on an option which indicates if we require FAST or if it is optional we fail or continue without fast if the TGT cannot be obtained.
milestone: NEEDS_TRIAGE => SSSD 1.5.0
status: new => assigned
Fixed by: - 263c8d4 - 5843ad3
resolution: => fixed status: assigned => closed tests: 0 => 1
rhbz: => 0
Metadata Update from @nalin: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.5.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1279
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.