Kerberos at OpenSolaris.org

You are not signed in. or register.

Project: Kerberos

OpenSolaris Project: Kerberos

View the leaders for this project
Project Observers

Endorsing communities

Security

About

The content on this page is aimed at developers developing OpenSolaris. If you need support for Solaris you'll be better off going to www.sun.com/suppport/.

OpenSolaris Kerberos is an enhanced version of MIT Kerberos version 5.

It started with MIT Kerberos 1.0.1 and is now fully in sync with 1.4.0 and partially in sync with 1.6 (see details below).

All released MIT security bug fixes are included in OpenSolaris.

MIT Kerberos and Solaris Kerberos

The following is a feature list showing the relationship between Solaris releases and MIT releases.

Solaris Nevada

MIT 1.6.3: Full resync including mech, kdc and utilities. PKINIT and removal of kadm5.keytab are the main features.
MIT 1.6: kdb plugin w/LDAP
MIT 1.6: client-side referrals (AD compatible)
MIT 1.6: sub-glue layer
MIT 1.4: mech resync
MIT 1.4: KDC, kinit resync
MIT 1.3: TCP/IPv6 support
MIT 1.2.1: DNS discovery

Solaris 10

MIT 1.4: mech resync
MIT 1.4: KDC, kinit resync
MIT 1.3: TCP/IPv6 support
MIT 1.2.1: DNS discovery

Solaris 9

MIT 1.2.1: DNS discovery

Solaris 8

MIT pre 1.2.1

Kerberos Source

Kerberos commands
Kerberos GSS-API mechanism
Kerberos GSS-API kernel mechanism

Enhancements Included in OpenSolaris

Incremental Propagation of the KDC database (see kpropd(1M)).
Kerberos support in native OpenSolaris versions of ftp(1)/in.ftpd(1M), rdist(1),rcp(1),rsh(1)/rshd(1M), rlogin(1)/rlogind(1M), telnet(1)/telnetd(1M).
Configurable replay cache (see krb5envvar(5)).
A kernel GSS-API Kerberos mechanism providing a subset of the userland GSS Kerberos mechanism used by NFS for increased performance.
Client configuration utility – kclient(1M).
Server configuration utility – kdcmgr(1M).
Kerberos support in ssh(1) via GSS-API with credential delegation/credential forwarding.
Leverages the OpenSolaris Cryptographic Framework.
Internationalized Kerberos utilities.
Kerberos administration using rpcsec_gss(3NSL).
Automatic ticket renewal and ticket expiration warning for users (see ktkt_warnd(1M)).
PAM integration (see pam_krb5(5)).
PAM Kerberos auto-migration (see pam_krb5_migrate(5)).
Kerberos daemons run with least privilege (via the Servicice Management Facility smf(5)).

Developing Kerberos in OpenSolaris

If the bug or RFE is not already filed, file it here.
- Kerberos bugs should be filed in the kerberosv5_bundled category
- GSS-API bugs should be filed in the gssapi category
Grabbing an existing bug or RFE is another good place to start.
Contribute your fix back into OpenSolaris.

Announcements

16 Oct 2007

Kerberos project now live!

Blogs

I just upgraded OpenSSL to version 0.9.8k. 0.9.8k is the latest stable version of OpenSSL. OpenSSL in OpenSolaris before this was at version 0.9.8a with backported security fixes . I moved OpenSSL ...

mbp - OpenSSL now lives in SFW

May 28, 9:27 AM

Today I integrated the changes necessary for the move of OpenSSL from the Operating System/Networking (ON) consolidation to the Solaris FreeWare (SFW) consolidation. The old source still lives in ON ...

markp - Truecrypt on OpenSolaris

Feb 27, 2:21 AM

Recently I've been playing around with TrueCrypt on Solaris. TrueCrypt is a cross-platform (Linux, MacOS, Windows, FreeBSD) application which provides disk encryption. On the non-windows platforms it ...

markp - Enhanced command-line editing support in Kerberos admin tools

Jan 2, 2:46 AM

Back in November I added enhanced command line editing support to the Kerberos administration tools kadmin(1M) , kadmin.local(1M) and ktutil(1M) . When run interactively these commands support a ...

markp - Multiple changeset pushes to ON

Dec 31, 5:21 AM

When ON switched to Mercurial from Teamware earlier this year ON went from having per-file delta's to per-repository changesets. In many ways Mercurial is a superior SCM to Teamware but this ...

OpenSolaris