Lately there have been lots minor changes to the tree, many of them
documentation changes. Feedback how to improve the documentation, both
the info documentation and the manual pages are much appreciated. I
especially like comments that some text in the documentation is hard to understand. Its so
easy for me to become blind to bad text when I’ve written both the code
and text. The brain fills in the missing bits and I don’t see the problems.
Of the latest changes I like the the credential cache iteration code the
most. It allows the user to list all caches available. It only works
for API and MEMORY caches though, some day there will be support for
KCM and FILE caches.
$ klist --list-caches Principal Cache name Status lha@SU.SE 0 Valid lha@E.KTH.SE 1 Valid
This glued together with support in GSS-API’s gss_aquire_cred
allow applications to select the source principal is a bliss. I’ve
modified push (the pop-client included in Heimdal) to use SASL and
now I can tell is to use lha@KTH.SE when talking to
mail1.kth.se even though the current selected cache is
lha@SU.SE. No more kswitch (MIT application for API credential
cache) or using wrapper shellscripts setting the KRB5CCNAME
enviroment variable. It makes my life much easier, no more wondering
why I’ve not received any mail for whole day just because I selected
the wrong credential at the begining of the day.
The outstanding question is how to handle support for automatic
selection of credentials. What parameters can you accept from the
server ? How should you store the local configuration ? How should the
user influence the selection ? How to avoid privacy issues (avoid
doing TGS-REQ to KDC that you don’t want to expose your actions too) ?
These are all very interesting issues, but causes a lot of squishy
noise when you hits your head agaist the wall.
I’ve also cleaned up DH support in PK-INIT, now it will check the
parameters choosen by the client, and there is a moduli files that
allows the administrator to add new group parameters. I also wrote a
fix for the PK-INIT-09 windows problem with binding the answer to the
request as presented by
href=”http://www.cis.upenn.edu/~scedrov/”>Andrew Scedrow et al at
IETF63 in Paris. The fix from Microsoft can be found
href=”http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx”>
here.
Now there is only parts of the KDC certificate verification code
missing and documentation on how to use PK-INIT that is missing before
I’m happy enough to make a release including PK-INIT. There are of
course major issues left, like PAM support, certificate handling and
CMS support, but those can be cleaned up later. There is of course the
rewrite of the ASN.1 compiler, but that seems to be the default state
of ASN.1 compilers so I’m not too worried about that.
Technorati tag: Heimdal