kerberos testing server/realm

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos testing server/realm

bodik
Hello,

I've question regarding testing GSS-API/Kerberos enabled applications.

While working on some tweaks for rsyslogd I found that developers might miss a
testing environment. Of course is possible for everyone to create a TEST realm,
register all needed principals (which could be tough in dynamic clouds) and
happily test the application at least some it's basic functionality which
depends on auth...


But I was thinking, if there would be something like "static_kdc.c" ? some very
small implementation without all fancy features like PA, crossrealming, heavy
encryption, something which would just send out session keys to everybody having
some static secrets for anyone ... ?


Is there anything like that or even could be this possible ?
Or am I completely our of line ?

Thanks for replies
Radoslav Bodo
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos testing server/realm

Roland Mainz


----- Original Message -----

> From: "bodik" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, September 2, 2014 10:20:23 AM
> Subject: kerberos testing server/realm
>
> Hello,
>
> I've question regarding testing GSS-API/Kerberos enabled applications.
>
> While working on some tweaks for rsyslogd I found that developers might miss
> a
> testing environment. Of course is possible for everyone to create a TEST
> realm,
> register all needed principals (which could be tough in dynamic clouds) and
> happily test the application at least some it's basic functionality which
> depends on auth...
>
>
> But I was thinking, if there would be something like "static_kdc.c" ? some
> very
> small implementation without all fancy features like PA, crossrealming, heavy
> encryption, something which would just send out session keys to everybody
> having
> some static secrets for anyone ... ?
>
>
> Is there anything like that or even could be this possible ?
> Or am I completely our of line ?

... and while we're making a wishlist for test environments... what about a way to run such a test KDC on a given pipe file (e.g. /tmp/mypipe or /dev/fd/18 or /proc/$parentpid/fd/18 for pipe/socket descriptors inherited by the parent process) so that neither special (root/admin) permissions are required nor IPv[46]/port collisions need to be avoided (think about running hundreds of tests in parallel).

----

Bye,
Roland

--
  __ .  . __
 (o.\ \/ /.o) [hidden email]
  \__\/\/__/  IPA/Kerberos5 team
  /O /==\ O\  
 (;O/ \/ \O;)
 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos testing server/realm

Greg Hudson
In reply to this post by bodik
On 09/02/2014 04:20 AM, bodik wrote:
> But I was thinking, if there would be something like "static_kdc.c" ? some very
> small implementation without all fancy features like PA, crossrealming, heavy
> encryption, something which would just send out session keys to everybody having
> some static secrets for anyone ... ?

> Is there anything like that or even could be this possible ?
> Or am I completely our of line ?

It's possible in theory, but I don't think it would decrease the
administrative burden of deploying it by much, so it wouldn't warrant
the development burden of maintaining an additional KDC implementation.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos testing server/realm

Jason Edgecombe-3
On 09/02/2014 12:53 PM, Greg Hudson wrote:

> On 09/02/2014 04:20 AM, bodik wrote:
>> But I was thinking, if there would be something like "static_kdc.c" ? some very
>> small implementation without all fancy features like PA, crossrealming, heavy
>> encryption, something which would just send out session keys to everybody having
>> some static secrets for anyone ... ?
>> Is there anything like that or even could be this possible ?
>> Or am I completely our of line ?
> It's possible in theory, but I don't think it would decrease the
> administrative burden of deploying it by much, so it wouldn't warrant
> the development burden of maintaining an additional KDC implementation.
I understand that having a simpler dev/test environment is desirable,
but a test environment is most valuable when it matches the production
environment.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos