OpenSolaris

Current Work

The following are projects or RFEs which are currently being worked on.

PKINIT

There are a number of sub-projects involved with this feature:

• Resync Solaris Kerberos with MIT Kerberos 1.6.3.
• This will likely touch all parts of Solaris Kerberos.
• Convert the pkinit pre-authentication plugin to be KMF-aware  
• We will convert the OpenSSL(5) layer (within pkinit.so) to the KMF API - libkmf(3LIB)
• KMF allows us to take advantage of the system global policy db (/etc/security/kmfpolicy.xml) and allows keystore flexibility.
• PKINIT-capable pam_krb5  
   *This project will NOT deliver a PKINIT-capable pam_krb5 but a follow-on project is slated to do so.

kclientv2 

kclient(1M) is being enhanced with to allow for the following configurations:

• Add a Kerberos client to a MS Active Directory (AD) server
• Add a Kerberos client to a non-Solaris and non-AD Key Distribution Center (KDC). This includes support for servers such as MIT, Heimdal, and Shishi.
• Add a Kerberos client that has no Kerberos administraion privileges. These types of clients include:
• Client is dynamic. For example a VPN or DHCP client.
• Client is not dynamic, but the local administrator does not currently have service keys available for the machine. It is expected that a later time that these keys will be installed on the machine.
• Client is not dynamic, but does not want to provide services using Kerberos.
• Add a Kerberos client that is part of a cluster node.

For more information see the PSARC case and the
  RFE tracking this work.

KDC master-key enctype migration

There is no way to modify the encryption type used to protect an existing Kerberos database. This project willl allow encryption type migration to take advantage of stronger encryption types. See 6290237 for more information.

Note that Will Fiveash is currently working with the MIT Kerberos Consortium to develop this project there first and will backport this to OpenSolaris.  The Consortium project page is here.