Packaging Heimdal for Cygwin was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"

Jeffrey Altman jaltman@openafs.org
Fri Jun 21 17:43:00 GMT 2013


On 6/21/2013 10:07 AM, Corinna Vinschen wrote:
>> To the best of my knowledge the Heimdal developers have not been
>> contacted by the Cygwin Heimdal package maintainer.
> 
> Well, if it builds...

We are discussing security software that must integrate with the native
environment.  When MIT or Heimdal Kerberos is built for OSX it is built
with specific knowledge of the OSX keychain.

When XYZ Kerberos is built for Windows natively it has specific
knowledge of the Microsoft LSA Kerberos cache (readonly) and provides a
secure credential cache implementation into which credentials can be
stored and accessed via the MIT credential cache api.  The goal of
Kerberos is single sign-on so if the user obtains Kerberos credentials
as part of the OS logon they should be accessible to the applications
that the user executes without requiring that the user enter their
password again.

On Linux the kernel's keyring support is often used to store Kerberos
credentials because it is more secure than plain files.  I suspect that
functionality is not emulated by cygwin1.dll since it could not in fact
be secure unless it was backed by a kernel driver.

Since Cygwin Heimdal is built as Linux without any platform specific
credential cache support it will be restricted to using FILE: caches as
a ticket store.  Microsoft Kerberos never uses FILE: based caches and
native MIT and Heimdal distributions use them only when explicitly
configured to.

The preferred location of a krb5.conf file on Windows is

  %ALLUSERSPROFILE%\Kerberos\krb5.conf

By reading the DOS formatted file stored at that location any configuration
applied to native Kerberos library distributions will also be used by
Cygwin applications.

If Cygwin's /etc/krb5.conf is used the system administrator (often an
end user without knowledge that Kerberos is even being used) must ensure
that the two configuration files are synchronized to avoid inconsistent
application behavior.

I guess that cygwin1.dll could special case /etc/krb5.conf and have it
shadow %ALLUSERSPROFILE%\Kerberos\krb5.conf with appropriate end-of-line
translations.

> You can look it up in the source archive really simply:
> ftp://cygwin.com/pub/cygwin/release/heimdal/heimdal-1.5.2-4-src.tar.bz2
> 
> From what I gather from the heimdal.cygport file, there's nothing
> special in this build, except for four patch files which fix minor
> build problems and a signal handling bug.

Of the four patches included in the tar ball all but the
lib/roken/signal.c patch are specific to the Cygwin build and
installation.  The lib/roken/signal.c patch could be submitted upstream
via a github.com pull request against https://github.com/heimdal/heimdal.

Jeffrey Altman



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list