Kerberos

Day 1

1.7 and 1.8 features

• don't specify enc types in krb5.conf - enc types should be auto-negotiated so that the highest encryption is chosen by krb
• no tripple des (MS doesn't support it)
  • RC4, AES (Win > Vista)
• ktadd -e to specify encryption type for a principal
• derived keys now cached on kdc

ldap backend might support atomic increment replication

• python test framework
• NSS crypto backend
• plugin framework
  • preauth, db, extra info (pulling from AD)
• expose delegation chain (see the chain of trust)

• Admin changes
  • logging
  • plugin to test pass quality
  • sync password changes
  • OTP (SecureID planned)
  • config file validator
• Protocol changes
  • IAKERB (?)
  • Camellia
  • additional cypher modes, eg. GCM

• interface to purge old keys (1.8.x?)
• interface to delete specific enc types (1.8.x?)
• trace logging (1.9)
• password quality checking (1.9)
• print enc types in “input form”
• improve ipv6 support
• improve key rollover (application keys)
• decrease DNS dependence

• plugins:
  • account lockout
  • audit support
  • password sync
  • ticket issuance ACL
  • friendlies smart card support

• decrease DNS traffic
• avoid DNS stalls
• replay cache
• concurrency
  • state
  • reduce mutex contention
  • refactoring to support async/event loop APIs

• python based
• need YAML
• validates your config options