I’ve spent the last week at the Kerberos IETF interim meeting (two
days), and after that, three days at the Kerberos Interop
Summit. Microsoft was the host for both of the events.
The agenda for the interim meeting was the define what protocol
features are of the RFC3962 (Kerberos crypto framework), RFC4120
(Kerberos protocol) and RFC4121 (Kerberos 5 GSS-API, CFX). This to
determine that is needed to document for the implementation report to
IETF, so that the RFC’s can have their status changed to draft-standard.
There was a couple of bugs founds in Heimdal when we did the
testing. First the GSS-API delegated token is wrongly encrypted with
the subkey, the session key should be used instead. I added
comatibility code for that (MIT already had that). The switch to use
the right key will have to wait until Heimdal 0.9.
I also got the Diffie-Hellan public key wrong in PK-INIT. I missed
that the keyed needed to wrapped in a INTEGER, that was simple enought
to fix. And when that was done, PK-INIT in Diffie-Hellman mode worked
just fine.
The entry in written and posted the my blog at 9445m over sea level in
an Airbus. Yay for internet when flying.
Technorati tag: Heimdal
Comments Off
Lately there have been lots minor changes to the tree, many of them
documentation changes. Feedback how to improve the documentation, both
the info documentation and the manual pages are much appreciated. I
especially like comments that some text in the documentation is hard to understand. Its so
easy for me to become blind to bad text when I’ve written both the code
and text. The brain fills in the missing bits and I don’t see the problems.
Of the latest changes I like the the credential cache iteration code the
most. It allows the user to list all caches available. It only works
for API and MEMORY caches though, some day there will be support for
KCM and FILE caches.
$ klist --list-caches
Principal Cache name Status
lha@SU.SE 0 Valid
lha@E.KTH.SE 1 Valid
This glued together with support in GSS-API’s gss_aquire_cred
allow applications to select the source principal is a bliss. I’ve
modified push (the pop-client included in Heimdal) to use SASL and
now I can tell is to use lha@KTH.SE when talking to
mail1.kth.se even though the current selected cache is
lha@SU.SE. No more kswitch (MIT application for API credential
cache) or using wrapper shellscripts setting the KRB5CCNAME
enviroment variable. It makes my life much easier, no more wondering
why I’ve not received any mail for whole day just because I selected
the wrong credential at the begining of the day.
The outstanding question is how to handle support for automatic
selection of credentials. What parameters can you accept from the
server ? How should you store the local configuration ? How should the
user influence the selection ? How to avoid privacy issues (avoid
doing TGS-REQ to KDC that you don’t want to expose your actions too) ?
These are all very interesting issues, but causes a lot of squishy
noise when you hits your head agaist the wall.
I’ve also cleaned up DH support in PK-INIT, now it will check the
parameters choosen by the client, and there is a moduli files that
allows the administrator to add new group parameters. I also wrote a
fix for the PK-INIT-09 windows problem with binding the answer to the
request as presented by
href=”http://www.cis.upenn.edu/~scedrov/”>Andrew Scedrow et al at
IETF63 in Paris. The fix from Microsoft can be found
href=”http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx”>
here.
Now there is only parts of the KDC certificate verification code
missing and documentation on how to use PK-INIT that is missing before
I’m happy enough to make a release including PK-INIT. There are of
course major issues left, like PAM support, certificate handling and
CMS support, but those can be cleaned up later. There is of course the
rewrite of the ASN.1 compiler, but that seems to be the default state
of ASN.1 compilers so I’m not too worried about that.
Technorati tag: Heimdal
Comments Off