lördag 21 november 2009

Heimdal 1.3.0 and 1.3.1

It was over a year ago last release was made, today we have published 1.3.1. We already released 1.3.0 last week but was never announced it.

Here is summary of change that included in the release:

Major changes in 1.3.1



  • Make work with OpenLDAPs krb5 overlay








Major changes in 1.3.0

  • Partial support for MIT kadmind rpc protocol in kadmind

  • Better support for finding keytab entries when using SPN aliases in the KDC

  • Support BER in ASN.1 library (needed for CMS)

  • Support decryption in Keychain private keys

  • Support for new sqlite based credential cache

  • Try both KDC referals and the common DNS reverse lookup in GSS-API

  • Fix the KCM to not leak resources on failure

  • Add IPv6 support to iprop

  • Support localization of error strings in

  • kinit/klist/kdestroy and Kerberos library

  • Remove Kerberos 4 support in application (still in KDC)

  • Deprecate DES

  • Support i18n password in windows domains (using UTF-8)

  • More complete API emulation of OpenSSL in hcrypto

  • Support for ECDSA and ECDH when linking with OpenSSL



There are more changes in the patch train, and I assume that you all don't have to wait other year before 1.4 gets out


Release Notes - Heimdal - Version Heimdal 1.3.1

Bug fixes

- Make work with OpenLDAPs krb5 overlay

Release Notes - Heimdal - Version Heimdal 1.3

New features

- Partial support for MIT kadmind rpc protocol in kadmind

- Better support for finding keytab entries when using SPN aliases in the KDC

- Support BER in ASN.1 library (needed for CMS)

- Support decryption in Keychain private keys

- Support for new sqlite based credential cache

- Try both KDC referals and the common DNS reverse lookup in GSS-API

- Fix the KCM to not leak resources on failure

- Add IPv6 support to iprop

- Support localization of error strings in

kinit/klist/kdestroy and Kerberos library

- Remove Kerberos 4 support in application (still in KDC)

- Deprecate DES

- Support i18n password in windows domains (using UTF-8)

- More complete API emulation of OpenSSL in hcrypto

- Support for ECDSA and ECDH when linking with OpenSSL

API changes

- Support for settin friendly name on credential caches

- Move to using doxygen to generate documentation.

- Sprinkling __attribute__((depricated)) for old function to be removed

- Support to export LAST-REQUST information in AS-REQ

- Support for client deferrals in in AS-REQ

- Add seek support for krb5_storage.

- Support for split AS-REQ, first step for IA-KERB

- Fix many memory leaks and bugs

- Improved regression test

- Support krb5_cccol

- Switch to krb5_set_error_message

- Support krb5_crypto_*_iov

- Switch to use EVP for most function

- Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)

- Add support for GSS_C_DELEG_POLICY_FLAG

- Add krb5_cc_[gs]et_config to store data in the credential caches

- PTY testing application

Bugfixes

- Make building on AIX6 possible.

- Bugfixes in LDAP KDC code to make it more stable

- Make ipropd-slave reconnect when master down gown

torsdag 5 november 2009

Using krb5_cc_[gs]et_config

Or how everything turned into a nail


Maybe this should be titled, how everything turned into a nail when I got a hammer. There are a couple of use cases I want to discuss first, and then why krb5_cc_[gs]et_config() isn't useable for everything.

First out is Windows, you just talked to a Windows AD KDC to get your TGT, but you need to do slight tweeks to make it work better on
Windows, so turn on insecure^HWindows behavior when we use this this credential cache. We make it up with a global setting using krb5_cc_[sg]_config().

Next thing that comes is negative caching of TGS requests (fetching service tickets). Now this seems very stupid to do, but for practical reason is not.

If you want to use HTTP Negotiate and have it default turned on in you http client, you can get bad behaviors in case of the webserver announces support for Negotiate and the client can't get service tickets for that realm. You don't want to have the performance loss of having to ask the KDC over and over again for the same ticket that you can't get.

The the state HTTP negotiate doesn't work should probably be in the http client instead, but sometimes that not possible, just think of running curl in a shell script and looping a couple of times, when you are tired enough of DNS timeouts, not answering KDC, referrals that doesn't lead anywhere, etc, you can let me know.

Third problem is ticket forwarding, it will get you into the same problem. If you want to do a lot of forwarding of your ticket, again maybe because of HTTP Negotiate, then you don't want to hit the KDC for every request. Again we can use krb5_cc_[gs]et_config to store the
forwarding credential for this entry.

So when is krb5_cc_[gs]et_config not useful


So when you renew your credentials you loose all your state, so if you want to keep your state you better store it somewhere else. So that said, having the Windows behavior flag in the krb5_cc_[gs]et_config is probably not good idea. There needs to be somewhere else that this kind of information is stored.