Re: MIT KRB5 Import Replacing Heimdal

In reply to: Rick Macklem : "Re: MIT KRB5 Import Replacing Heimdal"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Tue, 27 May 2025 02:01:08 UTC

In message <CAM5tNy48WTQckqwhvGytrsBkLjJOuYCut769Y+=p4fNUmq6RNA@mail.gmail.com>
, Rick Macklem writes:
> On Mon, May 26, 2025 at 11:09=E2=80=AFAM Cy Schubert <Cy.Schubert@cschubert=
> .com> wrote:
> >
> > Hi,
> >
> > A little bit of background first, how I/we got here.
> >
> > About a year ago some people reached out to me about replacing our
> > ancient Heimdal 1.5.2 with MIT KRB5.
> >
> > Backing up about six months, I had updated Heimdal 1.5.2 to Heimdal
> > 7.5.0 locally -- buildworld passed but not tested. 7.7.0 was released.
> > Unfortunately my work was all for naught. A major restructuring of the
> > Heimdal base required rewriting the Makefiles, again.
> >
> > Then, a number of Heimdal CVEs were announced, necessitating the update
> > (locally) to Heimdal 7.8.0. Again the upstream sources and source tree
> > had changed significantly enough that my 7.7.0 work was an almost
> > throw-away. I was at the time considering approaching folks here on
> > arch@ about the possibility of replacing Heimdal with MIT KRB5. This
> > was about the time I received the last email.
> >
> > What does this mean for FreeBSD?
> I support this switchover, but I vaguely recall there used to be a lot
> of differences w.r.t. the library APIs.
> Is that still the case?

Yes, there are some differences. Heimdal mostly implements functions not
found in MIT. The differences can be found here:

https://k5wiki.kerberos.org/wiki/Samba%27s_use_of_Heimdal_symbols,_with_MIT_differences

During my implementation, here, the only two modules. One was pam_ksu, which
I implemented a local copy of krb5_make_principal() which calls underlying
KRB5 functions found in both MIT and Heimdal.

The other was dealt with by importing the BSD licensed eyrie.org pam-krb5,
the basis for our security/pam_krb5 port.

OpenSSH needed the #define  HEIMDAL removed, to be defined by its Makefile.

gssd does make a call to krb5_get_init_creds_opt_set_default_flags() at line 1191 of gssd.c. It is not important to set the default realm name in order to return the handle to the default keytab.

I found no other conversion issues.

The NFS functions only call GSSAPI functions.

>
> rick

-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0