On ti, 25 loka 2016, Ken Dreyer wrote:
On Tue, Oct 25, 2016 at 3:00 PM, Dennis Gilmore <dennis@xxxxxxxx> wrote:
On martes, 25 de octubre de 2016 2:42:15 PM CDT Ken Dreyer wrote:
Hi Amanda,
I'm curious about this change: "Kerberos support in koji, fedpkg, OSBS "
Is koji.fedoraproject.org is going to eventually stop supporting TLS
authentication, and we'll have a Fedora-project-wide Kerberos
infrastructure instead?
there will be kerberos auth for koji and lookaise cache, if it will be project
wide or not I am not sure that is decided yet.
Thanks Dennis.
I'm curious about this because most organizations do not expose their
KDCs directly to the internet. As I understand it, it's possible for a
passive attacker to sniff the TGT exchange and brute-force a password,
whereas this attack scenario is not possible with Koji's current HTTPS
client cert authentication.
We implemented HTTPS proxying of the Kerberos protocol, based on
MS-KKDCP specification. It is in MIT Kerberos 1.13+.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
