Re: MIT KRB5 Import Replacing Heimdal
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 26 May 2025 19:19:55 UTC
Thanks. This will be implemented through four or five commits. There will be a phabricator review for the Makefiles. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0 In message <E1uJcjT-0003gy-MZ@rmmprod06.runbox>, "Alexander Ziaee" writes: > Hey Cy, > > I love this kind of deprecation workflow. > I hope one day myself and others will get this good. > > Thanks, > Alex > > On 2025-05-26 14:09 -04:00 EDT, "Cy Schubert" <Cy.Schubert@cschubert.com> w= > rote: > > Hi, > >=20 > > A little bit of background first, how I/we got here. > >=20 > > About a year ago some people reached out to me about replacing our > > ancient Heimdal 1.5.2 with MIT KRB5. > >=20 > > Backing up about six months, I had updated Heimdal 1.5.2 to Heimdal > > 7.5.0 locally -- buildworld passed but not tested. 7.7.0 was released.=20 > > Unfortunately my work was all for naught. A major restructuring of the=20 > > Heimdal base required rewriting the Makefiles, again. > >=20 > > Then, a number of Heimdal CVEs were announced, necessitating the update=20 > > (locally) to Heimdal 7.8.0. Again the upstream sources and source tree > > had changed significantly enough that my 7.7.0 work was an almost > > throw-away. I was at the time considering approaching folks here on > > arch@ about the possibility of replacing Heimdal with MIT KRB5. This > > was about the time I received the last email. > >=20 > > What does this mean for FreeBSD? > >=20 > > The Kerberos authentication protocol is 100% the same. User apps will > > not know the difference. Though some of the admin commands are slightly=20 > > different. > >=20 > > The major differences between Heimdal and MIT KRB5 are the kadmin > > protocol and the KDC database format. > >=20 > > The KDC database format can be converted from Heimdal format to MIT > > KRB5. During the last year a developer/sysadmin from ntp.org/nwtime.org > > had converted their KDC DB to MIT from Heimdal. > >=20 > > Why are we replacing Heimdal with MIT KRB5? > >=20 > > MIT KRB5 is the industry standard. Having received emails from a member > > of the enterprise group, and having worked in the enterprise > > space for the majority of my 50 year career, interoperability with > > other Kerberos servers such as Red Hat Identity Management (based on > > FreeIPA) or Microsoft's Active Directory (with MIT KRB5 embedded) is > > most likely the reason the they have shown interest in MIT KRB5. MIT > > KRB5 brings us in line with other services in the enterprise data > > centre. > >=20 > > My experience with MIT KRB5 is since the mid 1990s. > >=20 > > And of course my Heimdal updating experience from 7.5.0 --> 7.7.0 -->=20 > > abandoned 7.8.0. > >=20 > > This is not the first time MIT KRB5 brought up either. The first time I=20 > > recall was by pfg@ a number of years ago. > >=20 > > The paramount reason for this is the request by the enterprise working=20 > > group which, professionally, I cannot argue with. I've worked in this > > space for the majority of my career. > >=20 > > What about implementation? > >=20 > > My implementation adds a new knob WITH_MITKRB5. If enabled buildworld > > will build MIT KRB5 instead of Heimdal 1.5.2. Without it buildworld > > will default to Heimdal 1.5.2. After a period of time, to be determined > > by the FreeBSD community, the default will switch to MIT KRB5, with > > optional Heimdal build. The proposal is to enable MIT KRB5 when > > 15.0-RELEASE is cut (or later). And Heimdal 1.5.2 be removed from the > > source tree for 16.0-RELEASE (or later). > >=20 > >=20 > > --=20 > > Cheers, > > Cy Schubert <Cy.Schubert@cschubert.com> > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > > NTP: <cy@nwtime.org> Web: https://nwtime.org > >=20 > > e^(i*pi)+1=3D0 > >=20 > >=20 > >=20 > >=