From owner-freebsd-arch@freebsd.org Tue May 29 00:36:12 2018 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA73CF70DAF for ; Tue, 29 May 2018 00:36:12 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DAAA6C550; Tue, 29 May 2018 00:36:12 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190c-61fff7000000405f-16-5b0c9f46a1cb Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 0B.81.16479.64F9C0B5; Mon, 28 May 2018 20:31:02 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w4T0V0QC012363; Mon, 28 May 2018 20:31:01 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4T0UvMX021327 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 May 2018 20:30:59 -0400 Date: Mon, 28 May 2018 19:30:57 -0500 From: Benjamin Kaduk To: Sean Bruno Cc: freebsd-arch Subject: Re: How to update or should we update Kerberos Message-ID: <20180529003057.GB65175@kduck.kaduk.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIKsWRmVeSWpSXmKPExsUixCmqrOs2nyfa4M0dI4vZ06cxWfT0nmB0 YPKY8Wk+SwBjFJdNSmpOZllqkb5dAlfGo8XPGAu2CVTc2rmZrYFxEl8XIyeHhICJxJdVi9m6 GLk4hAQWM0ncenaJBcLZyCgx//ACdgjnKpPEmquL2UFaWARUJS487WYBsdkEVCQaui8zg9gi AsoS2zu6GUFsZgFtiXunWthAbGEBc4nGOcfAbF6gdQtPrQfrFRKwkzh97xMrRFxQ4uTMJywQ vWUSjQ8eA9kcQLa0xPJ/HCBhTgF7iZblF8BKRIFW7e07xD6BUWAWku5ZSLpnIXRDhLUkbvx7 yYQhrC2xbOFrZgjbVmLduvcsCxjZVzHKpuRW6eYmZuYUpybrFicn5uWlFuka6uVmluilppRu YgSHviTPDsYzb7wOMQpwMCrx8DIw8UQLsSaWFVfmHmKU5GBSEuU9zwMU4kvKT6nMSCzOiC8q zUktPsSoArTr0YbVFxilWPLy81KVRHi5dLmihXhTEiurUovyYcqkOViUxHmzFzFGCwmkJ5ak ZqemFqQWwWRlODiUJHgr5wEtECxKTU+tSMvMKUFIM3FwHmKU4OABGt4PUsNbXJCYW5yZDpE/ xagoJc6rC5IQAElklObB9YJSlkT2/ppXjOJAbwlDtPMA0x1c9yugwUxAg59M5AYZXJKIkJJq YBTXZXBt5K+w7pHmvKGjahrnt//FtKkx1V5BnH+Lwupl/lx5cvL93tW9tnMVviwTKlCKer1w zqfZD912/v9dknB0bw4jr6BR1t32y2rO2xRe7+V1PJMvJb9r6b7HnU+fRKvn5HjVa906sefb 2x154txc3UHMWUV5GvsvMIic2TS7SU50thXXeiWW4oxEQy3mouJEAOpFNtA0AwAA X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 00:36:13 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 28, 2018 at 12:49:41PM -0600, Sean Bruno wrote: > https://github.com/heimdal/heimdal/releases >=20 > Since we haven't updated Kerberos for 6 years, I'm curious why we even cy has some WIP in projects/krb5, which at least initially was to switch to MIT krb5 in base (but now may be more ambitious and leave both Heimdal and MIT options). > have it floating around in base. >=20 > I'm ignorant as to what we need it for. It's a great way to simplify the bootstrap process when setting up new machines (in an existing realm environment), in particular, it is used in the FreeBSD cluster. Prior to pkgng's introduction of signed packages, it was the only way for me to securely integrate a new install that did not involve hand-transcribing key material or putting it on removable media. I think the signed-packages situation helps somewhat, but there are definitely still cases where it's useful to have. On the other hand, it's also sometimes frustrating when it's 6-year-old code and I also want to be in an MIT krb5 environment. But I hope that cy will continue with the project branch and we'll get an update "soon". -Ben --jI8keyz6grp/JLjh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQG3BAABCgAdFiEE2WGV4E2ARf9BYP0XKNmm82TrdRIFAlsMnzYACgkQKNmm82Tr dRITqwwgjD6UspRytOlHGOKWn0QTysW/YgnJQ6jvZi4lVfKmmG95QqmgtZI/A5g8 WcKwkBNGlTWGD9i+QXPmvnKLjkwIB1tUey/3CYP2GVRuiFqiI0aJBirSoMvAZEUO IIo0mAVMT6MzY8szuKWnuh6pU+2c0oUKqASy3TZ28manwOSU0b6Ylh5YXJslbSpV EeMGa2VApFfVk1E/E3Lro7RytFziMMLX7oy4PscelP6Tj+YxrOoQ1QlGvea2XGHQ 99bEKm04Ilmu4WAmvexKdVpdJ5CGTNpZD9TqAerTmDSGY7IH+vMFQyrzc8oWIIuS U/x07Ghnjjq/AERt2hWNPDd1Wn25sVvluCMssdkg6qrFN7ZFBbc02b5wgNGVFRnk ufPOlZoT04bwrjng6bAwXmTw0jZb660pK90EUwNahp1ubiiGxn522Wgu9KX9ti7y dWSpGedBSVCBEH84JVU6bk7yquGuJw7xh8fMNuSFCHSwwXOr3vs2B9RIjVsXFvLQ MYq/DLcxWYG1dQ== =3nZb -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh--