Some time since I wrote about what I’ve been working on with Heimdal. I was away for WWDC06 and had some 2weeks vaction so a month went way doing nothing (that is a good thing).
A new feature I’ve added a week ago was the digest authentication in the KDC, basicly it allows a server, like a Webdav server to delegat the http digest authenticiation to the KDC, then there is only one place you need to store the password.
This have a side-effect of beeing able to return a tickets from the KDC to the server. That will allow AFS sites to use digest auth (the mandetory to implement feature in webdav) to their webdav servers and at the same time export AFS. The way you did this before was that you stored the AFS keyfile on the webdav server and printed the tickets there. This is very scary when you think about what would happen if the webdav server ever was compromised.
There is both a library interface in libkrb5 (krb5_digest) and a binary (kdigest) that can be used to access the service in the KDC.
I still need to do some more testing, but most of the code should already be functional.
Oh, right, hopefully I got the channelbindings for http auth right, so when that is work completed it should just work.