To start I will use this as a scratchpad for my own thoughts on Kerberos, later it will take a more organized shape.

The current state in Feisty is pretty good, most network app clients (that I care about) are compiled against either MIT or Heimdal client libraries.

I think it makes sense to switch all (clients) to Heimdal, to gain the in-memory KCM credentials cache, as it will likely be the doorway to an Selinux secured keyring like gnome-keyring-manager in the user's session. When an open source identity manager is available ala "7 Laws of Identity" that would be the ultimate.

Ok well to be fair MIT has an in-memory ccache on Mac and Windows last I checked. I'm partial to Heimdal. Does MIT have windows enctype for RC4: yes it does. How's the Active Directory interop?

I'd like to see Gaim and other XMPP IM clients support Kerberos, there's some neat potential user-to-user authentication uses.

cyrus-sasl2 produces package libsasl2-modules-gssapi-heimdal, but it's empty and just installs MIT version.

VNC viewer with kerberos and user level IPSEC support.

I wonder if X509 support in client apps shouldn't parallel Kerberos support.

I was able to recompile Feisty pkgs with Heimdal:

  • evolution-data-server - evolution works, but if tickets are expired you get a cryptic "krb5 unknown 32" popup, with MIT it says "Ticket Expired"
  • openssh - seems to work
  • libpq5 - untested

things in have pending recompile:

  • libneon25, libneon26 - i don't use kerberos with subversion, openoffice, or gstreamer
  • libcurl3, libcurl3-gnutls
  • smbclient
  • samba-common
  • libsmbclient

things apt-cache showpkg reports that I don't have:

  • asterisk
  • winbind
  • smbfs
  • libclamav2
  • krb5-*
  • php5-*
  • nfs-kernel-server - nfs v4 could be interesting with KCM
  • ipsec-tools


KerberizingUbuntu (last edited 2008-08-06 16:19:42 by localhost)