X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=BuAqxVTH+eaack6ejaVPx1mjfnealNKG+M9iroPPXSs
	3CwKuU4mnAq1OL/JcuxtaB1wINq96V1p7tMXtdLamHGQGPp9ALWj/N/luGlhTVPJ
	wOjECRX3FXs8MFpyFbSLU0XGUwJAXwbdungIu0TUI/j8lJC23MNrzCki7WqyNxxA
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=VjTrNUF+iHvndW0McgXUsDpH2bU=; b=EqNUNBxkFRL4rH9nH
	XTS7NutGx1WHOoCsGiu0MckMbatTTVAvPOOkT7c4PRFX7DPafwKEskk+iOYcxedV
	SAJZ+jJIVUoKt09K/dNXszUABPLMtPxBVrVJ1j+XuFcjOTiDEeEEr0Oo5ZVxoCDO
	NZR9u1uQUtRyc9/wtbYdx+Bgk0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,KHOP_THREADED autolearn=ham version=3.3.1
X-MDAV-Result: clean
X-MDAV-Processed: mail.secure-endpoints.com, Fri, 21 Jun 2013 13:35:32 -0400
X-Spam-Processed: mail.secure-endpoints.com, Fri, 21 Jun 2013 13:35:32 -0400	(not processed: message from trusted or authenticated source)
X-Return-Path: jaltman AT openafs DOT org
X-Envelope-From: jaltman AT openafs DOT org
X-MDaemon-Deliver-To: cygwin AT cygwin DOT com
Message-ID: <51C48EE2.1000406@openafs.org>
Date: Fri, 21 Jun 2013 13:35:30 -0400
From: Jeffrey Altman <jaltman AT openafs DOT org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Packaging Heimdal for Cygwin was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD AT EXMAIL DOT hrl DOT com> <51C33835 DOT 6000207 AT openafs DOT org> <409A0E510096B044A0EE3778BB3F1F5C01379C904127 AT EXMAIL DOT hrl DOT com> <51C38880 DOT 3090401 AT openafs DOT org> <20130621074355 DOT GE1620 AT calimero DOT vinschen DOT de> <51C45788 DOT 7080908 AT openafs DOT org> <20130621140733 DOT GF7362 AT calimero DOT vinschen DOT de>
In-Reply-To: <20130621140733.GF7362@calimero.vinschen.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 6/21/2013 10:07 AM, Corinna Vinschen wrote:
>> To the best of my knowledge the Heimdal developers have not been
>> contacted by the Cygwin Heimdal package maintainer.
> 
> Well, if it builds...

We are discussing security software that must integrate with the native
environment.  When MIT or Heimdal Kerberos is built for OSX it is built
with specific knowledge of the OSX keychain.

When XYZ Kerberos is built for Windows natively it has specific
knowledge of the Microsoft LSA Kerberos cache (readonly) and provides a
secure credential cache implementation into which credentials can be
stored and accessed via the MIT credential cache api.  The goal of
Kerberos is single sign-on so if the user obtains Kerberos credentials
as part of the OS logon they should be accessible to the applications
that the user executes without requiring that the user enter their
password again.

On Linux the kernel's keyring support is often used to store Kerberos
credentials because it is more secure than plain files.  I suspect that
functionality is not emulated by cygwin1.dll since it could not in fact
be secure unless it was backed by a kernel driver.

Since Cygwin Heimdal is built as Linux without any platform specific
credential cache support it will be restricted to using FILE: caches as
a ticket store.  Microsoft Kerberos never uses FILE: based caches and
native MIT and Heimdal distributions use them only when explicitly
configured to.

The preferred location of a krb5.conf file on Windows is

  %ALLUSERSPROFILE%\Kerberos\krb5.conf

By reading the DOS formatted file stored at that location any configuration
applied to native Kerberos library distributions will also be used by
Cygwin applications.

If Cygwin's /etc/krb5.conf is used the system administrator (often an
end user without knowledge that Kerberos is even being used) must ensure
that the two configuration files are synchronized to avoid inconsistent
application behavior.

I guess that cygwin1.dll could special case /etc/krb5.conf and have it
shadow %ALLUSERSPROFILE%\Kerberos\krb5.conf with appropriate end-of-line
translations.

> You can look it up in the source archive really simply:
> ftp://cygwin.com/pub/cygwin/release/heimdal/heimdal-1.5.2-4-src.tar.bz2
> 
> From what I gather from the heimdal.cygport file, there's nothing
> special in this build, except for four patch files which fix minor
> build problems and a signal handling bug.

Of the four patches included in the tar ball all but the
lib/roken/signal.c patch are specific to the Cygwin build and
installation.  The lib/roken/signal.c patch could be submitted upstream
via a github.com pull request against https://github.com/heimdal/heimdal.

Jeffrey Altman



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple