krb5-1.8-beta2 is available

Marcus Watts mdw at umich.edu
Fri Feb 26 19:18:04 EST 2010 

Thomas Yu sent:
...
> > Things that I'd love to see in some future version of the code,
> >
> > * a configure option that actually *removes* the single-des
> >   cryptosystem from the built code (as opposed to merely disabling it).
> 
> We considered the related idea of outright removing the code that does
> single-DES.  Having a configure option to not build the single-DES
> code does sound better.  It's an awfully big hammer, but I can see why
> some sites might want that.
> 
> How soon do people think it would be appropriate to add such an
> option? (It won't achieve much code size reduction unless it also
> removes triple-DES, at least if building the builtin crypto.)

Yes, code size reduction isn't the point.  It means people who noticed
you've got all sorts of ways to bypass "we turned DES off in krb5.conf"
can be more confident they don't have any hidden single-des dependencies.

If you ask me, 1.8.1 might be a good time to put this in.  Then again,
I'm surprised this didn't go in years ago, so I might not be the best
person to ask when such a feature should go in.  (options to selectively
enable des,des3,rc4,aes would be a nice generalization.)

> 
> > * python 2.6 support.
> 
> By this do you mean API bindings in python?  For which APIs?

configure has logic in it which looks for python 2.3, 2.5,
and a comment "We really should look for and use python-config.".
Looks like it's only used in src/plugins/locate/python/

I have to admit, in looking a bit more, I'm not convinced this is actually
useful - so this may not be satisfy anything I care about past a slight
urge "for the sake of completeness".

Ideally, I'd like to see API's to handle refreshing tickets (which would
facilitate writing daemons that refresh ticket files (similar to k5start)
- and restart connections inside that daemon when the tickets are refreshed
(which k5start can't do.)  I'd also like to see an API similar to perl5's 
	Authen::Krb5::Admin
and maybe,
	Authen::Krb5
but clearly I'm doing lots more wishful thinking here.

				-Marcus Watts

More information about the krbdev mailing list