Heimdal in base
wollman at bimajority.org
Thu Sep 15 02:07:17 UTC 2016
<<On Wed, 14 Sep 2016 15:21:46 -0400 (EDT), Benjamin Kaduk <kaduk at MIT.EDU> said:
> Well, it's definitely too late for 11, now.
> But, Debian is preparing to remove their heimdal package entirely,
> imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728
The primary issue, so far as I can see, is that Heimdal and MIT were
only compatible in the parts of the API that were formally
standardized. For those of us who need MIT (to have a working kadmin,
for example), that has pretty much always boiled down to completely
disabling Heimdal in base (and anything that depends on it, like
OpenSSH, pam_krb5, and GSSAPI-authenticated NFS), and installing
replacement bits from ports/packages.
If we're going to remove Heimdal from base, we should completely
deorbit (or disable, as appropriate) all of the things that depend on
it, and make sure that there are ports that provide replacement
functionality. (AFAIK the only thing missing is gssd, the user-mode
side of the authenticated NFS support.) My bet would be that very few
FreeBSD users actually take advantage of this support, and unless
they're running in an all-FreeBSD or all-Heimdal shop probably have to
install MIT Kerberos anyway.
Since we're expecting to have packaged base complete for 12.0, having
to install a few extra packages (and replace some base packages with
ports packages) should not be an imposition, for those people who want
Kerberos support, and for many of us it would make fresh installs less
of a hassle.
Since 11.0 hasn't been released yet, is it within the realm of
possibility to officially deprecate Heimdal-in-base before it ships?
At this stage all that would involve is putting an announcement in the
(writing as the administrator of the CSAIL.MIT.EDU realm, but still
not speaking for MIT)
More information about the freebsd-security