Kerberos

Kerberos

NOTE: The kerberos project is no longer active on this website so information here may be out of date. Current Oracle Solaris 11 product documentation can be found here. Information about downloading Oracle Solaris 11 can be found here.

About

The content on this page is aimed at developers developing OpenSolaris. If you need support for Solaris you'll be better off going to www.sun.com/suppport/.

OpenSolaris Kerberos is an enhanced version of MIT Kerberos version 5.

It started with MIT Kerberos 1.0.1 and is now fully in sync with 1.4.0 and partially in sync with 1.6 (see details below).


All released MIT security bug fixes are included in OpenSolaris.

MIT Kerberos and Solaris Kerberos

The following is a feature list showing the relationship between Solaris releases and MIT releases.

Solaris Nevada

  • MIT 1.6.3: Full resync including mech, kdc and utilities. PKINIT and removal of kadm5.keytab are the main features.
  • MIT 1.6: kdb plugin w/LDAP
  • MIT 1.6: client-side referrals (AD compatible)
  • MIT 1.6: sub-glue layer
  • MIT 1.4: mech resync
  • MIT 1.4: KDC, kinit resync
  • MIT 1.3: TCP/IPv6 support
  • MIT 1.2.1: DNS discovery

Solaris 10

  • MIT 1.4: mech resync
  • MIT 1.4: KDC, kinit resync
  • MIT 1.3: TCP/IPv6 support
  • MIT 1.2.1: DNS discovery

Solaris 9

  • MIT 1.2.1: DNS discovery

Solaris 8

  • MIT pre 1.2.1 

Kerberos Source

Kerberos commands  
Kerberos GSS-API mechanism  
Kerberos GSS-API kernel mechanism  

Enhancements Included in OpenSolaris

  • Incremental Propagation of the KDC database (see kpropd(1M)).
  • Kerberos support in native OpenSolaris versions of ftp(1)/in.ftpd(1M), rdist(1),rcp(1),rsh(1)/rshd(1M), rlogin(1)/rlogind(1M), telnet(1)/telnetd(1M).
  • Configurable replay cache (see krb5envvar(5)).
  • A kernel GSS-API Kerberos mechanism providing a subset of the userland GSS Kerberos mechanism used by NFS for increased performance.
  • Client configuration utility - kclient(1M).
  • Server configuration utility - kdcmgr(1M).
  • Kerberos support in ssh(1) via GSS-API with credential delegation/credential forwarding.
  • Leverages the OpenSolaris Cryptographic Framework.
  • Internationalized Kerberos utilities.
  • Kerberos administration using rpcsec_gss(3NSL).
  • Automatic ticket renewal and ticket expiration warning for users (see ktkt_warnd(1M)).
  • PAM integration (see pam_krb5(5)).
  • PAM Kerberos auto-migration (see pam~_krb5~_migrate(5)).
  • Kerberos daemons run with least privilege (via the Servicice Management Facility smf(5)).

Developing Kerberos in OpenSolaris

  • If the bug or RFE is not already filed, file it here.
  • Kerberos bugs should be filed in the kerberosv5_bundled category
  • GSS-API bugs should be filed in the gssapi category
  • Grabbing an existing bug or RFE is another good place to start.
  • Contribute your fix back into OpenSolaris.
Tags:
Created by on 2009/10/26 11:40
Last modified by admin on 2009/10/26 12:14

Collectives

Project kerberos Pages

Kerberos
XWiki Enterprise 2.7.1.34853 - Documentation