Heimdal or MIT kerberos

sam samwun at hgcbroadband.com
Mon Oct 4 07:19:54 EDT 2004


Frank Cusack wrote:
> On Mon, 04 Oct 2004 10:55:49 +0800 sam <samwun at hgcbroadband.com> wrote:
> 
>>Hi,
>>
>>I m not sure which kerberos I should use. With Heimdal, it is a
>>thread-safe implementation, while MIT's kerberos is not.
>>
>>Please correct me if I m wrong, it appears that there is more
>>applicatoins support MIT kerberos than Heimdal.
>>
>>I basically want to use kerbeors as a SSO server and allows various
>>internet/network service to securely authenticate with
>>users. Applications I would like to be kerberized is samba, apache,
>>email (ldap)..
>>
>>So which kerberos should be used to avoid future difficulty of
>>integration with the above application?
> 
> 
> Heimdal does not have a functioning replay cache, so if your app
> needs that you must go with MIT.  MIT also seems to be more actively
> developed.  (That's not to say that heimdal doesn't get worked on.)
> 
> Most software these days still depends on MIT, however porting to
> heimdal is pretty easy.
> 
> What my site does is use the heimdal server and MIT clients.  And
> local apps (client or server) are all built against MIT.  We use
> heimdal for the PK-INIT support.
> 
> If heimdal is thread-safe, that's news to me.  You shouldn't care
> if the apps you plan to use are off the shelf (sounds that way).
> 
> Apache kerberization is a long hard road.  You're much better off
> going with pubcookie or some such system.
> http://middleware.internet2.edu/webiso/ is a good page that
> points to lots of web sso software.
> 
> Samba?  good luck there as well.
> 
> I don't understand why you wrote 'email (ldap)', what does ldap
> have to do with sso for email?  Anyway, email kerberization is
> relatively easy, but for the end-user, relatively non-eventful
> since every mail client will store the user's password for them
> (and you can do imaps or imap with digest auth to protect the
> secrets).  LDAP kerberization is also fairly well handled these
> days (but again, little to do with email authentication as such).
> 
> Summary: I'd stick with MIT.
> 
> /fc
Thank you very much for your suggestion. I think I will use Heimdal as a 
server as well.

Thanks
Sam


More information about the Kerberos mailing list