Heimdal

Yesterday I commited a tool to heimdal called kimpersonate that I
wrote about 5 years ago, that even before I was a Heimdal developer, I
even wrote a manpage for it. Its rather short, about 330 lines,
including copyright and command parsing. I use it as part of the
regression suite in Heimdal. To run the regression suite yourself, run
make check in the toplevel directory.

kimpersonate prints Kerberos tickets for a user given a keytab (or
AFS keyfile). An example how to use kimpersonate show better what the
tool can do.

datan# kimpersonate -s host/nutcracker.it.su.se@SU.SE -c lha/root@SU.SE -t des3-cbc-sha1 -5 --ccache=FILE:/tmp/cache -k FILE:nutcracker-keytab
datan# klist -c FILE:/tmp/cache
Credentials cache: FILE:/tmp/cache
Principal: lha/root@SU.SE
Issued           Expires          Principal
Sep 19 08:22:52  Sep 19 09:22:52  host/nutcracker.it.su.se@SU.SE
datan# ssh -l root nutcracker.it.su.se
nutcracker#

So don’t get your keytab’s stolen, but you already knew that.

Also, today I enabled PK-INIT by default, now it have to be turned off when running configure.

What is life without some ASN.1 compiler hacking, last week I got intensely bored of writing code that appends another element to the list of entries so I spent 2 hours extending the ASN.1 compiler in Heimdal to generate add_ and removal_ functions for all SEQ OF types. So far it have only allowed me to remove code and not to not write it, but its still a very useful feature. Just like the –preserve-binary= feature, the –sequence= option have to be turned on explicitly for all types where its required.

I’ve been tinkering with smartcard support the last week. Michael Alexander and Douglas Engert both helped me debug and diagnose all the problems that keep coming up, thanks for the work guys.

I had misunderstod how PKCS11 worked with objects and thought they were presistent over sessions, it was quite easy to change the code to cache the session, but suddely is became much harder to get threading support right.

There is also a “feature” in PK-INIT that I’m not sure I like. When doing the Encrypted session key the reply message is encrypted with the private key of the certificate, even in the case then the certificate is a signing only certificate. That means that if there is a smartcard that accully enforces the signing only policy of the CA, PK-INIT wont work for that card. All this is solved using DH, and that is was windows vista will do. But until microsoft get their act togheter and releases Vista, we have to live with this.

The hx509 lib now have greatly improved error messages and I added more support in the softare pkcs-11 token I have do emulate the diffrent session/diffrent object behavior of activecard smartcards.

Some time since I wrote about what I’ve been working on with Heimdal. I was away for WWDC06 and had some 2weeks vaction so a month went way doing nothing (that is a good thing).

A new feature I’ve added a week ago was the digest authentication in the KDC, basicly it allows a server, like a Webdav server to delegat the http digest authenticiation to the KDC, then there is only one place you need to store the password.

This have a side-effect of beeing able to return a tickets from the KDC to the server. That will allow AFS sites to use digest auth (the mandetory to implement feature in webdav) to their webdav servers and at the same time export AFS. The way you did this before was that you stored the AFS keyfile on the webdav server and printed the tickets there. This is very scary when you think about what would happen if the webdav server ever was compromised.

There is both a library interface in libkrb5 (krb5_digest) and a binary (kdigest) that can be used to access the service in the KDC.

I still need to do some more testing, but most of the code should already be functional.

Oh, right, hopefully I got the channelbindings for http auth right, so when that is work completed it should just work.