Heimdal or MIT kerberos
sam
samwun at hgcbroadband.com
Mon Oct 4 07:19:54 EDT 2004
Frank Cusack wrote:
> On Mon, 04 Oct 2004 10:55:49 +0800 sam <samwun at hgcbroadband.com> wrote:
>
>>Hi,
>>
>>I m not sure which kerberos I should use. With Heimdal, it is a
>>thread-safe implementation, while MIT's kerberos is not.
>>
>>Please correct me if I m wrong, it appears that there is more
>>applicatoins support MIT kerberos than Heimdal.
>>
>>I basically want to use kerbeors as a SSO server and allows various
>>internet/network service to securely authenticate with
>>users. Applications I would like to be kerberized is samba, apache,
>>email (ldap)..
>>
>>So which kerberos should be used to avoid future difficulty of
>>integration with the above application?
>
>
> Heimdal does not have a functioning replay cache, so if your app
> needs that you must go with MIT. MIT also seems to be more actively
> developed. (That's not to say that heimdal doesn't get worked on.)
>
> Most software these days still depends on MIT, however porting to
> heimdal is pretty easy.
>
> What my site does is use the heimdal server and MIT clients. And
> local apps (client or server) are all built against MIT. We use
> heimdal for the PK-INIT support.
>
> If heimdal is thread-safe, that's news to me. You shouldn't care
> if the apps you plan to use are off the shelf (sounds that way).
>
> Apache kerberization is a long hard road. You're much better off
> going with pubcookie or some such system.
> http://middleware.internet2.edu/webiso/ is a good page that
> points to lots of web sso software.
>
> Samba? good luck there as well.
>
> I don't understand why you wrote 'email (ldap)', what does ldap
> have to do with sso for email? Anyway, email kerberization is
> relatively easy, but for the end-user, relatively non-eventful
> since every mail client will store the user's password for them
> (and you can do imaps or imap with digest auth to protect the
> secrets). LDAP kerberization is also fairly well handled these
> days (but again, little to do with email authentication as such).
>
> Summary: I'd stick with MIT.
>
> /fc
Thank you very much for your suggestion. I think I will use Heimdal as a
server as well.
Thanks
Sam
More information about the Kerberos
mailing list