Heimdal Kerberos

It was over a year ago last release was made, today we have published 1.3.1. We already released 1.3.0 last week but was never announced it. Here is summary of change that included in the release: Major changes in 1.3.1 Make work with OpenLDAPs ... [More] krb5 overlay Major changes in 1.3.0 Partial support for MIT kadmind rpc protocol in kadmind Better support [...] [Less]

Or how everything turned into a nail Maybe this should be titled, how everything turned into a nail when I got a hammer. There are a couple of use cases I want to discuss first, and then why krb5_cc_[gs]et_config() isn’t useable for everything. First out is Windows, you just talked to a Windows AD KDC to get your TGT, but [...]

This is continuation of the previous article about ISC. The gssapi function ASC (gss_accept_sec_context) is also complicated, function, one can argue ASC is simpler then ISC since ASC only takes 11 arguments. OM_uint32 gss_accept_sec_context (OM_uint32 * /*minor_status*/, gss_ctx_id_t * [...]

We got some feedback that it would be good if it was possible to cross compile Heimdal and with some minor works that is now possible. Its all documented at http://www.h5l.org/compile.html#cross, as usual libtool is somewhat in the way. The current problem that that libtool is not aware of the target’s build environment, but it seems [...]

ISC Lets start to dissect some of the GSS-API functions, first out in gss_init_sec_context (ISC for short). The gssapi function ISC is a very complicated function, just look at the 13 arguments it takes, and for every round its call in an authentication some of them need to be same, and some need to change. OM_uint32 gss_init_sec_context [...]

Heimdal now support support for ECDSA (Elliptic curve, signature mode) and ECDH (Elliptic curve, key exchange mode) when compiled with OpenSSL, no hcrypto support yet. Using ECDSA is turned on when using EC certificates, both the signature ... [More] verification and CMS is done using EC certificate. ECDH is turned used when using ECDSA, so also its also used when using EC certificates [...] [Less]

I’ve just added anonymous Kerberos/pkinit to the KDC and the client libraries. Still only AS-REQ, what is missing is TGS-REQ and GSS-API support. kinit --anonymous REALM What have been implemented is draft-ietf-krb-wg-anon-04. At the same time ... [More] support for enterprise names when using PK-INIT slipped it. This is very cool, just point a cert, and the kinit will search [...] [Less]

Setting up Heimdal with PK-INIT is very easy. Heimdal by itself contains all the tools so you can do the setup. We assume that you don’t have CA when we do the setup. Some facts The realm name we are going to use is EXAMPLE.ORG, the kdc is named kdc.example.org, the user is [email protected]. Create the certificates needed First [...]

Or how to talk to the Kerberos KDC over your appliation protocol Talking to the KDC with no network Sometimes you want to talk to the KDC when there is limited or direct network. Or your application simply knows better how to communicate with the KDC. For example, if it was possible to use EAP with GSS-API so it run Kerberos [...]

I’ve created a new API to the krb5_ functions, its for storing Kerberos related data in the credential cache. Realm configuration that is fetched runtime, for that the target is a domain that only should have Kerberos canonlization done and not dns ... [More] canonlization Forwarded tickets, to avoid re-fetching the from the KDC krb5_cc_get_config krb5_is_config_principal krb5_cc_set_config There is a patch for MIT Kerberos that also [...] [Less]