Heimdal or MIT kerberos

Henry B. Hotz hbhotz at oxy.edu
Mon Oct 4 15:11:05 EDT 2004

On Oct 4, 2004, at 9:02 AM, kerberos-request at mit.edu wrote:

> Date: Sun, 03 Oct 2004 22:40:50 -0700
> From: Frank Cusack <fcusack at fcusack.com>
> To: kerberos at MIT.EDU
> Subject: Re: Heimdal or MIT kerberos
> Message-ID: <m3ekkfvy59.fsf at magma.savecore.net>
> References: <cjqfj4$1rss$1 at news.hgc.com.hk>
> Precedence: list
> Message: 2
> On Mon, 04 Oct 2004 10:55:49 +0800 sam <samwun at hgcbroadband.com> wrote:
>> I m not sure which kerberos I should use.

They're both good.  Don't sweat it too much.

> Heimdal does not have a functioning replay cache, so if your app
> needs that you must go with MIT.

Very true, but it depends on the app whether it matters or not.   
Heimdal doesn't support password history checking either, but there's  
public code to add that if you don't run a very large site.

> Apache kerberization is a long hard road.  You're much better off
> going with pubcookie or some such system.
> http://middleware.internet2.edu/webiso/ is a good page that
> points to lots of web sso software.

Hmmm.  If you use a recent Mozilla-derivative and mod_auth_kerb with  
Apache it seems to handle the basics.  Haven't checked interop with MS  

Which one you choose may depend on whether you need some add-on.  There  
are a couple of hardware pre-authentication devices supported only with  
MIT patches, but the PKINIT patches are only for Heimdal.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list