Clock skew in krb5 auth should result in offline operation, not failure #2138
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1096
Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428
Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.
We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.
Comments
Comment from dpal at 2011-12-01 15:43:35
Fields changed
coverity: =>
description: Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428
Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.
We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue. => Split from https://bugzilla.redhat.com/show_bug.cgi?id=756428
Right now, if the clock is skewed when performing an online auth with Kerberos, we treat it as an error and deny access to the user. For convenience purposes, it would be better to treat this as an offline trigger and then attempt cached authentication instead.
We should be certain to report the failure to PAM_TEXT_DATA and the syslog, so that users and administrators are made aware of the issue.
milestone: NEEDS_TRIAGE => SSSD 1.9.0
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0
Comment from mkosek at 2011-12-16 16:04:28
Fields changed
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=756428 756428]
Comment from dpal at 2012-01-16 16:32:20
Fields changed
blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Kerberos improvements
Comment from dpal at 2012-08-16 23:20:13
Fields changed
feature_milestone: =>
proposed_priority: => Nice to have
Comment from dpal at 2012-08-17 21:57:19
Per Stephen's suggestion I am bumping the priority.
proposed_priority: Nice to have => Important
Comment from dpal at 2012-09-04 23:20:23
Moving all the features planned for 1.10 release into 1.10 beta.
milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta
Comment from dpal at 2012-09-04 23:50:13
Fields changed
priority: major => minor
Comment from dpal at 2012-09-04 23:52:17
Fields changed
priority: minor => major
Comment from dpal at 2012-12-20 23:33:42
Fields changed
selected: => Not need
Comment from dpal at 2013-01-02 15:32:08
Moving tickets that are not a priority for SSSD 1.10 into the next release.
milestone: SSSD 1.10 beta => SSSD 1.11 beta
Comment from dpal at 2013-07-30 10:43:11
Test and if done close otherwise re-triage.
changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
milestone: SSSD 1.13 beta => Interim Bucket
review: => 0
Comment from dpal at 2013-07-30 12:54:43
Fields changed
milestone: Interim Bucket => SSSD 1.12 beta
Comment from jhrozek at 2013-11-29 12:00:14
owner: somebody => jhrozek
Comment from jhrozek at 2013-11-29 12:03:21
Fields changed
resolution: => fixed
status: new => closed
Comment from sgallagh at 2017-02-24 14:29:10
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: