Re: Proposed new blocking criterion for Fedora Server: GSSAPI SSO via SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 10/06/2015 12:35 AM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently, we have a number of blocking criterion in Fedora Server
around domain membership that the machine must be able to join a
domain and that a user must be able to log into the machine using
standard login mechanisms (console, GDM, etc.).

What we are lacking is a criterion specifying single-sign-on
functionality, which is a key part of the domain experience. I'd like
to propose that the following functionality be added as a Beta
criterion from here forth:

== Server Product Requirements ==

=== Remote Authentication ===
* A user who signs in locally or via SSH to a Fedora Server joined to
a FreeIPA or Active Directory domain using a supported domain-joining
mechanism[1] must be capable of connecting via SSH to any other Fedora
Server of the same version to which they have appropriate access
privileges without being required to re-enter their password.[2]
(Note: this assumes an "online" login; if the user logs in while
disconnected from the authentication server, they may not be able to
use SSO features without manual intervention.)

* Single-sign-on capabilities must be available without any additional
configuration by the user except the initial join to the domain.



[1] This means realmd in the current implementation, which is the
mechanism used under the hood by Cockpit. I'd recommend leaving out
more manual methods like ipa-client-install, adcli and 'net ads'.

[2] Under the hood, this means that the authentication negotiation
should happen via GSSAPI.


+1
Makes perfect sense.

Cheers,
Sudhir
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test




[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux