From owner-freebsd-arch@freebsd.org Tue May 29 02:34:41 2018 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF570F7A19C for ; Tue, 29 May 2018 02:34:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2A24871524; Tue, 29 May 2018 02:34:40 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id NUT6fn3yEuYopNUT8f1z3P; Mon, 28 May 2018 20:34:39 -0600 X-Authority-Analysis: v=2.3 cv=GopsBH9C c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=kj9zAlcOel0A:10 a=VUJBJC2UJ8kA:10 a=Nk2HUJP5AAAA:8 a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=tIwHfEbsL6Y0Z_M3gIcA:9 a=CjuIK1q_8ugA:10 a=q5ElMP0IXWY55gIGnw_N:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id 464F41C82; Mon, 28 May 2018 19:34:36 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id w4T2YaUd003994; Mon, 28 May 2018 19:34:36 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id w4T2YZH9003991; Mon, 28 May 2018 19:34:35 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201805290234.w4T2YZH9003991@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Benjamin Kaduk cc: Sean Bruno , freebsd-arch Subject: Re: How to update or should we update Kerberos In-Reply-To: Message from Benjamin Kaduk of "Mon, 28 May 2018 19:30:57 -0500." <20180529003057.GB65175@kduck.kaduk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 May 2018 19:34:35 -0700 X-CMAE-Envelope: MS4wfCLPQtFALtAM/vrO/herrrov1f+g+hgyM5VGo9vxBwvtw2SrFfGotoeW3irz6H7dmyiYsRpDwSYJLOOS9gcy8mSrA1YbZnI3V3Psp9No6sVTNN89lKri 5sONMgdm5ijcvAreimSyipAt6bwX2w9jOYLKZfhNhR/CLkOWd/atsE6ZiKAhMUj2FpsS6HA7Mro441d+IQBM76eEQ+SCCouCEsLHmZRFIfZGxCgx6U32/MGW X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 02:34:41 -0000 In message <20180529003057.GB65175@kduck.kaduk.org>, Benjamin Kaduk writes: > > --jI8keyz6grp/JLjh > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Mon, May 28, 2018 at 12:49:41PM -0600, Sean Bruno wrote: > > https://github.com/heimdal/heimdal/releases > >=20 > > Since we haven't updated Kerberos for 6 years, I'm curious why we even > > cy has some WIP in projects/krb5, which at least initially was to > switch to MIT krb5 in base (but now may be more ambitious and leave > both Heimdal and MIT options). Yes. The first phase, to make kerberos in base private, has been committed to my project branch. It broke over 800 ports. I'm working on cobbling a ports patch. A private kerberos in base cleans up a lot of nasty issues in ports. The next bit is messy. Originally my plan was to replace Heimdal with MIT however one of our cluster admins objected. Though both Heimdal and MIT use the same protocol, the kadmin protocol is incompatible. This is a bit of a POLA violation. IMO FreeBSD should ship with Kerberos client commands and private libraries and allow the user to select one of the ports for their KDC. A packaged base would make this a little more politically feasible. With this in mind, the only viable option that would be acceptable to everyone is a knob to allow building of one or another in base. In other words Heimdal in base should probably also be updated. > > > have it floating around in base. > >=20 > > I'm ignorant as to what we need it for. > > It's a great way to simplify the bootstrap process when setting up > new machines (in an existing realm environment), in particular, it > is used in the FreeBSD cluster. Prior to pkgng's introduction of > signed packages, it was the only way for me to securely integrate a > new install that did not involve hand-transcribing key material or > putting it on removable media. I think the signed-packages > situation helps somewhat, but there are definitely still cases where > it's useful to have. When I was at $JOB-1, our script created a keytab and pushed keys through an ssh session from each admin's Linux, FreeBSD, or Solaris desktop. IMO, in today's environment, I'd be inclined to create a site-wide meta-port with all required FreeBSD ports for the site as prereqs and a port that configured kerberos. I know one person who does this using site-wide Linux RPMs at a Linux shop. When the site-wide config changes he updates his meta-ports and does yum update. This might be something we might want to document in a howto doc for pkgng. > > On the other hand, it's also sometimes frustrating when it's > 6-year-old code and I also want to be in an MIT krb5 environment. > But I hope that cy will continue with the project branch and we'll > get an update "soon". I'm working through all 800 broken ports. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.