Re: MIT KRB5 Import Replacing Heimdal

Reply: Cy Schubert : "Re: MIT KRB5 Import Replacing Heimdal"
In reply to: Cy Schubert : "MIT KRB5 Import Replacing Heimdal"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Tue, 27 May 2025 00:49:41 UTC
On Mon, May 26, 2025 at 11:09 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> Hi,
>
> A little bit of background first, how I/we got here.
>
> About a year ago some people reached out to me about replacing our
> ancient Heimdal 1.5.2 with MIT KRB5.
>
> Backing up about six months, I had updated Heimdal 1.5.2 to Heimdal
> 7.5.0 locally -- buildworld passed but not tested. 7.7.0 was released.
> Unfortunately my work was all for naught. A major restructuring of the
> Heimdal base required rewriting the Makefiles, again.
>
> Then, a number of Heimdal CVEs were announced, necessitating the update
> (locally) to Heimdal 7.8.0. Again the upstream sources and source tree
> had changed significantly enough that my 7.7.0 work was an almost
> throw-away. I was at the time considering approaching folks here on
> arch@ about the possibility of replacing Heimdal with MIT KRB5. This
> was about the time I received the last email.
>
> What does this mean for FreeBSD?
I support this switchover, but I vaguely recall there used to be a lot
of differences w.r.t. the library APIs.
Is that still the case?

rick

>
> The Kerberos authentication protocol is 100% the same. User apps will
> not know the difference. Though some of the admin commands are slightly
> different.
>
> The major differences between Heimdal and MIT KRB5 are the kadmin
> protocol and the KDC database format.
>
> The KDC database format can be converted from Heimdal format to MIT
> KRB5. During the last year a developer/sysadmin from ntp.org/nwtime.org
> had converted their KDC DB to MIT from Heimdal.
>
> Why are we replacing Heimdal with MIT KRB5?
>
> MIT KRB5 is the industry standard. Having received emails from a member
> of the enterprise group, and having worked in the enterprise
> space for the majority of my 50 year career, interoperability with
> other Kerberos servers such as Red Hat Identity Management (based on
> FreeIPA) or Microsoft's Active Directory (with MIT KRB5 embedded) is
> most likely the reason the they have shown interest in MIT KRB5. MIT
> KRB5 brings us in line with other services in the enterprise data
> centre.
>
> My experience with MIT KRB5 is since the mid 1990s.
>
> And of course my Heimdal updating experience from 7.5.0 --> 7.7.0 -->
> abandoned 7.8.0.
>
> This is not the first time MIT KRB5 brought up either. The first time I
> recall was by pfg@ a number of years ago.
>
> The paramount reason for this is the request by the enterprise working
> group which, professionally, I cannot argue with. I've worked in this
> space for the majority of my career.
>
> What about implementation?
>
> My implementation adds a new knob WITH_MITKRB5. If enabled buildworld
> will build MIT KRB5 instead of Heimdal 1.5.2. Without it buildworld
> will default to Heimdal 1.5.2. After a period of time, to be determined
> by the FreeBSD community, the default will switch to MIT KRB5, with
> optional Heimdal build. The proposal is to enable MIT KRB5 when
> 15.0-RELEASE is cut (or later). And Heimdal 1.5.2 be removed from the
> source tree for 16.0-RELEASE (or later).
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
> NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
>
>                         e^(i*pi)+1=0
>
>
>