Kerberos and FreeBSD
rmacklem at uoguelph.ca
Thu Feb 9 01:41:36 UTC 2012
Benjamin Kaduk wrote:
> On Wed, 8 Feb 2012, Ansar Mohammed wrote:
> > Hello All,
> > Is the port of Heimdal on FreeBSD being maintained? The version that
> > ships with 9.0 seems a bit old.
> > #> /usr/libexec/kdc-v
> > kdc (Heimdal 1.1.0)
> > Copyright 1995-2008 Kungliga Tekniska Högskolan
> > Send bug-reports to heimdal-bugs at h5l.org
> My understanding is that every five years or so, someone becomes fed
> enough with the staleness of the "current" version and puts in the
> to merge in a newer version.
> It looks like 3 years ago, dfr brought in that Heimdal 1.1 you see, to
> replace the Heimdal 0.6 that nectar brought in 8 years ago.
> I don't know of anyone with active plans to bring in a new version, at
> -Ben Kaduk
I think it's a little trickier than it sounds. The Kerberos in FreeBSD
isn't vanilla Heimdal 1.1, but a somewhat modified variant.
Heimdal libraries have a separate source file for each function, plus
a source file that defines all global storage used by functions in the
One difference w.r.t. the FreeBSD variant that I am aware of is:
- Some of the functions were moved from one library to another. (I don't
know why, but maybe it was to avoid a POLA violation which would require
apps to be linked with additional libraries?)
- To do this, some global variables were added to the source file in the
library these functions were moved to.
As such, if you statically link an app. to both libraries, the global variable
can come up "multiply defined". (I ran into this when I was developing a "gssd"
prior to the one introduced as part of the kernel rpc.) You can get around this
by dynamically linking, being careful about the order in which the libraries are
specified. (The command "krb5-config --libs" helps w.r.t. this.)
I don't know what else was changed, but I do know that it isn't as trivial as
replacing the sources with ones from a newer Heimdal release.
I think it would be nice if a newer Heimdal release was brought it, with the
minimal changes required to make it work. (If that meant that apps. needed more
libraries, the make files could use "krb5-config --libs" to handle it, I think?)
Oh, and I'm not volunteering to try and do it;-) rick
More information about the freebsd-hackers