On Tue, Oct 25, 2016 at 3:00 PM, Dennis Gilmore
<dennis(a)ausil.us> wrote:
> On martes, 25 de octubre de 2016 2:42:15 PM CDT Ken Dreyer wrote:
>> Hi Amanda,
>>
>> I'm curious about this change: "Kerberos support in koji, fedpkg, OSBS
"
>>
>> Is
koji.fedoraproject.org is going to eventually stop supporting TLS
>> authentication, and we'll have a Fedora-project-wide Kerberos
>> infrastructure instead?
>
> there will be kerberos auth for koji and lookaise cache, if it will be project
> wide or not I am not sure that is decided yet.
Thanks Dennis.
I'm curious about this because most organizations do not expose their
KDCs directly to the internet. As I understand it, it's possible for a
passive attacker to sniff the TGT exchange and brute-force a password,
whereas this attack scenario is not possible with Koji's current HTTPS
client cert authentication.
We implemented HTTPS proxying of the Kerberos protocol,
based on
MS-KKDCP specification. It is in MIT Kerberos 1.13+.
--
/ Alexander Bokovoy