| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=BuAqxVTH+eaack6ejaVPx1mjfnealNKG+M9iroPPXSs | |
| 3CwKuU4mnAq1OL/JcuxtaB1wINq96V1p7tMXtdLamHGQGPp9ALWj/N/luGlhTVPJ | |
| wOjECRX3FXs8MFpyFbSLU0XGUwJAXwbdungIu0TUI/j8lJC23MNrzCki7WqyNxxA | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| s=default; bh=VjTrNUF+iHvndW0McgXUsDpH2bU=; b=EqNUNBxkFRL4rH9nH | |
| XTS7NutGx1WHOoCsGiu0MckMbatTTVAvPOOkT7c4PRFX7DPafwKEskk+iOYcxedV | |
| SAJZ+jJIVUoKt09K/dNXszUABPLMtPxBVrVJ1j+XuFcjOTiDEeEEr0Oo5ZVxoCDO | |
| NZR9u1uQUtRyc9/wtbYdx+Bgk0= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-Spam-SWARE-Status: | No, score=-2.6 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED autolearn=ham version=3.3.1 |
| X-MDAV-Result: | clean |
| X-MDAV-Processed: | mail.secure-endpoints.com, Fri, 21 Jun 2013 13:35:32 -0400 |
| X-Spam-Processed: | mail.secure-endpoints.com, Fri, 21 Jun 2013 13:35:32 -0400 (not processed: message from trusted or authenticated source) |
| X-Return-Path: | jaltman AT openafs DOT org |
| X-Envelope-From: | jaltman AT openafs DOT org |
| X-MDaemon-Deliver-To: | cygwin AT cygwin DOT com |
| Message-ID: | <51C48EE2.1000406@openafs.org> |
| Date: | Fri, 21 Jun 2013 13:35:30 -0400 |
| From: | Jeffrey Altman <jaltman AT openafs DOT org> |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Packaging Heimdal for Cygwin was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" |
| References: | <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com> <51C33835 DOT 6000207 AT openafs DOT org> <409A0E510096B044A0EE3778BB3F1F5C01379C904127 AT EXMAIL DOT hrl DOT com> <51C38880 DOT 3090401 AT openafs DOT org> <20130621074355 DOT GE1620 AT calimero DOT vinschen DOT de> <51C45788 DOT 7080908 AT openafs DOT org> <20130621140733 DOT GF7362 AT calimero DOT vinschen DOT de> |
| In-Reply-To: | <20130621140733.GF7362@calimero.vinschen.de> |
On 6/21/2013 10:07 AM, Corinna Vinschen wrote: >> To the best of my knowledge the Heimdal developers have not been >> contacted by the Cygwin Heimdal package maintainer. > > Well, if it builds... We are discussing security software that must integrate with the native environment. When MIT or Heimdal Kerberos is built for OSX it is built with specific knowledge of the OSX keychain. When XYZ Kerberos is built for Windows natively it has specific knowledge of the Microsoft LSA Kerberos cache (readonly) and provides a secure credential cache implementation into which credentials can be stored and accessed via the MIT credential cache api. The goal of Kerberos is single sign-on so if the user obtains Kerberos credentials as part of the OS logon they should be accessible to the applications that the user executes without requiring that the user enter their password again. On Linux the kernel's keyring support is often used to store Kerberos credentials because it is more secure than plain files. I suspect that functionality is not emulated by cygwin1.dll since it could not in fact be secure unless it was backed by a kernel driver. Since Cygwin Heimdal is built as Linux without any platform specific credential cache support it will be restricted to using FILE: caches as a ticket store. Microsoft Kerberos never uses FILE: based caches and native MIT and Heimdal distributions use them only when explicitly configured to. The preferred location of a krb5.conf file on Windows is %ALLUSERSPROFILE%\Kerberos\krb5.conf By reading the DOS formatted file stored at that location any configuration applied to native Kerberos library distributions will also be used by Cygwin applications. If Cygwin's /etc/krb5.conf is used the system administrator (often an end user without knowledge that Kerberos is even being used) must ensure that the two configuration files are synchronized to avoid inconsistent application behavior. I guess that cygwin1.dll could special case /etc/krb5.conf and have it shadow %ALLUSERSPROFILE%\Kerberos\krb5.conf with appropriate end-of-line translations. > You can look it up in the source archive really simply: > ftp://cygwin.com/pub/cygwin/release/heimdal/heimdal-1.5.2-4-src.tar.bz2 > > From what I gather from the heimdal.cygport file, there's nothing > special in this build, except for four patch files which fix minor > build problems and a signal handling bug. Of the four patches included in the tar ball all but the lib/roken/signal.c patch are specific to the Cygwin build and installation. The lib/roken/signal.c patch could be submitted upstream via a github.com pull request against https://github.com/heimdal/heimdal. Jeffrey Altman -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |