On 6/21/2013 10:07 AM, Corinna Vinschen wrote: >> To the best of my knowledge the Heimdal developers have not been >> contacted by the Cygwin Heimdal package maintainer. > > Well, if it builds...
We are discussing security software that must integrate with the native environment. When MIT or Heimdal Kerberos is built for OSX it is built with specific knowledge of the OSX keychain. When XYZ Kerberos is built for Windows natively it has specific knowledge of the Microsoft LSA Kerberos cache (readonly) and provides a secure credential cache implementation into which credentials can be stored and accessed via the MIT credential cache api. The goal of Kerberos is single sign-on so if the user obtains Kerberos credentials as part of the OS logon they should be accessible to the applications that the user executes without requiring that the user enter their password again. On Linux the kernel's keyring support is often used to store Kerberos credentials because it is more secure than plain files. I suspect that functionality is not emulated by cygwin1.dll since it could not in fact be secure unless it was backed by a kernel driver. Since Cygwin Heimdal is built as Linux without any platform specific credential cache support it will be restricted to using FILE: caches as a ticket store. Microsoft Kerberos never uses FILE: based caches and native MIT and Heimdal distributions use them only when explicitly configured to. The preferred location of a krb5.conf file on Windows is %ALLUSERSPROFILE%\Kerberos\krb5.conf By reading the DOS formatted file stored at that location any configuration applied to native Kerberos library distributions will also be used by Cygwin applications. If Cygwin's /etc/krb5.conf is used the system administrator (often an end user without knowledge that Kerberos is even being used) must ensure that the two configuration files are synchronized to avoid inconsistent application behavior. I guess that cygwin1.dll could special case /etc/krb5.conf and have it shadow %ALLUSERSPROFILE%\Kerberos\krb5.conf with appropriate end-of-line translations. > You can look it up in the source archive really simply: > ftp://cygwin.com/pub/cygwin/release/heimdal/heimdal-1.5.2-4-src.tar.bz2 > > From what I gather from the heimdal.cygport file, there's nothing > special in this build, except for four patch files which fix minor > build problems and a signal handling bug. Of the four patches included in the tar ball all but the lib/roken/signal.c patch are specific to the Cygwin build and installation. The lib/roken/signal.c patch could be submitted upstream via a github.com pull request against https://github.com/heimdal/heimdal. Jeffrey Altman -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
