Heimdal or MIT kerberos

[Frank Cusack]

On Mon, 04 Oct 2004 10:55:49 +0800 sam <samwun at hgcbroadband.com> wrote:
> Hi,
>
> I m not sure which kerberos I should use. With Heimdal, it is a
> thread-safe implementation, while MIT's kerberos is not.
>
> Please correct me if I m wrong, it appears that there is more
> applicatoins support MIT kerberos than Heimdal.
>
> I basically want to use kerbeors as a SSO server and allows various
> internet/network service to securely authenticate with
> users. Applications I would like to be kerberized is samba, apache,
> email (ldap)..
>
> So which kerberos should be used to avoid future difficulty of
> integration with the above application?

Heimdal does not have a functioning replay cache, so if your app
needs that you must go with MIT.  MIT also seems to be more actively
developed.  (That's not to say that heimdal doesn't get worked on.)

Most software these days still depends on MIT, however porting to
heimdal is pretty easy.

What my site does is use the heimdal server and MIT clients.  And
local apps (client or server) are all built against MIT.  We use
heimdal for the PK-INIT support.

If heimdal is thread-safe, that's news to me.  You shouldn't care
if the apps you plan to use are off the shelf (sounds that way).

Apache kerberization is a long hard road.  You're much better off
going with pubcookie or some such system.
http://middleware.internet2.edu/webiso/ is a good page that
points to lots of web sso software.

Samba?  good luck there as well.

I don't understand why you wrote 'email (ldap)', what does ldap
have to do with sso for email?  Anyway, email kerberization is
relatively easy, but for the end-user, relatively non-eventful
since every mail client will store the user's password for them
(and you can do imaps or imap with digest auth to protect the
secrets).  LDAP kerberization is also fairly well handled these
days (but again, little to do with email authentication as such).

Summary: I'd stick with MIT.

/fc