OpenSolaris

1. Project: Kerberos
   1. Announcements
   2. News
   3. Blogs
   4. Leaders
   5. Observers
   6. Kerberos Changelog
   7. Howto Debug Kerberos
   8. Discussions & Mailing Lists
   9. Current Work
   10. Code Reviews

OpenSolaris Project: Kerberos

View the leaders for this project
Project Observers

Endorsing communities

Security

About

The content on this page is aimed at developers developing OpenSolaris. If you need support for Solaris you'll be better off going to www.sun.com/suppport/.

OpenSolaris Kerberos is an enhanced version of MIT Kerberos version 5.

It started with MIT Kerberos 1.0.1 and is now fully in sync with 1.4.0 and partially in sync with 1.6 (see details below).

All released MIT security bug fixes are included in OpenSolaris.

MIT Kerberos and Solaris Kerberos

The following is a feature list showing the relationship between Solaris releases and MIT releases.

Solaris Nevada

• MIT 1.6: kdb plugin w/LDAP
• MIT 1.6: client-side referrals (AD compatible)
• MIT 1.6: sub-glue layer
• MIT 1.4: mech resync
• MIT 1.4: KDC, kinit resync
• MIT 1.3: TCP/IPv6 support
• MIT 1.2.1: DNS discovery

Solaris 10

• MIT 1.3: TCP/IPv6 support
• MIT 1.2.1: DNS discovery

Solaris 9

• MIT 1.2.1: DNS discovery

Solaris 8

• MIT pre 1.2.1

Kerberos Source

Kerberos commands
Kerberos GSS-API mechanism
Kerberos GSS-API kernel mechanism

Enhancements Included in OpenSolaris

• Incremental Propagation of the KDC database (see kpropd(1M)).
• Kerberos support in native OpenSolaris versions of ftp(1)/in.ftpd(1M), rdist(1),rcp(1),rsh(1)/rshd(1M), rlogin(1)/rlogind(1M), telnet(1)/telnetd(1M).
• Configurable replay cache (see krb5envvar(5)).
• A kernel GSS-API Kerberos mechanism providing a subset of the userland GSS Kerberos mechanism used by NFS for increased performance.
• Client configuration utility – kclient(1M).
• Kerberos support in ssh(1) via GSS-API with credential delegation/credential forwarding.
• Leverages the OpenSolaris Cryptographic Framework.
• Internationalized Kerberos utilities.
• Kerberos administration using rpcsec_gss(3NSL).
• Automatic ticket renewal and ticket expiration warning for users (see ktkt_warnd(1M)).
• PAM integration (see pam_krb5(5)).
• PAM Kerberos auto-migration (see pam_krb5_migrate(5)).
• Kerberos daemons run with least privilege (via the Servicice Management Facility smf(5)).

Developing Kerberos in OpenSolaris

• If the bug or RFE is not already filed, file it here.
  • Kerberos bugs should be filed in the kerberosv5_bundled category
  • GSS-API bugs should be filed in the gssapi category
• Grabbing an existing bug or RFE is another good place to start.
• Contribute your fix back into OpenSolaris.

OpenSolaris Kerberos Documentation

General Information

• Kerberos Admin Guide

Developer Documentation

• GSS Developer's Guide
• SASL Developer's Guide

Presentations

• How Encryption Type Settings Affect Kerberos Key Generation, Negotiation and Crypto Usage

RFCs

• RFC 4120 Kerberos
• RFC 4121 Kerberos GSS-API Mechanism
• RFC 2473 GSS-API
• RFC 2744 GSS-API C-Bindings
• RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)

Announcements

16 Oct 2007

Kerberos project now live!

Blogs

markp - What's new for Kerberos in Solaris 10 5/08

Apr 17, 11:07 AM

Solaris 10 5/08 was just released and it contains a number of significant enhancements to Kerberos. I've drawn up a list of new features, singling out the ones I think are most significant. Even ...

wfiveash - The Rough Guide to configuring a Solaris KDC to use a LDAP DS for the KDB

Mar 7, 4:25 PM

config_kdc_ldap.html Steps to configure a Solaris KDC and LDAP directory to store and retrieve Kerberos records from the LDAP Directory Server. Solaris Developer Express and Solaris 10 Update 5 was ...

markp - Kerberos Project on OpenSolaris.org

Oct 15, 3:03 AM

I've just set-up the new Kerberos project on opensolaris.org. It's the new home of all things related to Kerberos on opensolaris . The project will be officially launched in the next day or so. Its ...

wfiveash - Update on Playing with Solaris memory debuggers

Sep 5, 1:53 PM

A long time ago I wrote about my experiences playing with various memory debuggers in Solaris. One thing I mentioned was: Note, a core dump is not necessary. Use "mdb -o nostop -p PID" where PID is ...

markp - Kerberos changes in OpenSolaris

Aug 17, 4:18 PM

I recently commited my zero-conf changes to OpenSolaris - they're going to be in build 71 (more on that later). There are a number of ways to track what new stuff goes into OpenSolaris: you could ...