new | ask | show | jobs
ptx 12 hours ago  [ - ]

> this new method is possible to work because FreeBSD switched from Heimdal Kerberos implementation to MIT Kerberos in FreeBSD 15.0-RELEASE … and I am really glad that FreeBSD finally did it.

What was the problem with Heimdal? The FreeBSD wiki says they used an old version, but why not upgrade to a newer version of Heimdal instead of switching to an entirely different implementation?

cryptonector 5 hours ago  [ - ]

Because we (Heimdal) need to make a release, darn it. I'm going to cut an 8.0 beta within a week or two.

Basically, an 8.0 release is super pent up -- years. It's got lots of very necessary stuff, including support for the extended GSS-API "cred store" APIs, which are very handy. Lots of iprop enhancements, "virtual service principal namespaces", "synthetic client principals", lots of PKINIT enhancements, modern public key cryptography (but not PQ), etc.

The issue is that the maintainers (myself included) have been busy with other things. But the pressure to do a release has ramped up significantly recently.

lukeh 3 hours ago  [ - ]

Also things like support for GSS-API pre-authentication mechanisms (so, you can use an arbitrary security mechanism such as EAP to authenticate yourself to the KDC), the new SAnon mechanism, pulling in some changes from Apple's fork, replacing builtin crypto with OpenSSL, etc. Lack of release has been typical OSS lack of resources: no one is paid to work on Heimdal full time.

cryptonector 3 hours ago  [ - ]

Oh yeah, it's huge.

Also included are experimental:

- httpkadmind (which together with virtual service principal namespaces makes a very nice keytab orchestration system)

- bx509d (an online CA)

- JWT support for the above

p_ing 8 hours ago  [ - ]

This [0] may provide a hint. Heimdal was developed outside of the US and not subject to export restrictions, unlike MIT. So perhaps in the beginning it wasn’t the package of choice to begin with.

And this [1] says for interoperability reasons.

[0] https://docs-archive.freebsd.org/doc/11.1-RELEASE/usr/local/...

[1] https://freebsdfoundation.org/project/import-mit-kerberos-in...

cryptonector 4 hours ago  [ - ]

I don't think that has anything to do with FreeBSD's choice of MIT Kerberos or Heimdal.

p_ing 3 hours ago  [ - ]

Well, except the FreeBSD Foundation explicitly says MIT was chosen for interoperability.

Are you disputing the FreeBSD Foundation document?

cryptonector 3 hours ago  [ - ]

Er, sorry, I meant the whole thing about Heimdal being non-U.S. based.