Date: Mon, 5 Feb 2024 08:17:00 +0100 From: Emmanuel Vadot <manu@bidouilliste.com> To: Philip Paeps <philip@freebsd.org> Cc: Enji Cooper <yaneurabeya@gmail.com>, "\"Piotr P. Stefaniak\"" <pstef@freebsd.org>, =?ISO-8859-1?Q?"Dag-Erling_Sm=F8rgrav"?= <des@freebsd.org>, Minsoo Choo <minsoochoo0122@proton.me>, freebsd-arch@freebsd.org Subject: Re: Importing Heimdal 7.8.0 Message-ID: <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com> In-Reply-To: <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org> References: <Zb57nFS1PUt2pGBw@freefall.freebsd.org> <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 05 Feb 2024 14:20:34 +0800 Philip Paeps <philip@freebsd.org> wrote: > On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote: > > On Sat, 3 Feb 2024 10:24:09 -0800 > > Enji Cooper <yaneurabeya@gmail.com> wrote: > >>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak <pstef@freebsd.org>=20 > >>> wrote: > >>> ?On 2024-01-31 15:31:38, Dag-Erling Sm=F8rgrav wrote: > >>>> Minsoo Choo <minsoochoo0122@proton.me> writes: > >>>>> I'm currently working on importing the latest version of Heimdal, > >>>> > >>>> Please don't. > >>> > >>> why > >> > >> Cy is importing MIT kerberos. MIT is (in many cases) the defacto=20 > >> flavor of kerberos. > >> Cheers, > > > > Is changing kerberos flavor in 2024 really what we want ? >=20 > We should ship a supported / maintained flavour of Kerberos. MIT is the= =20 > best option. >=20 > > People who are using base kdc will likekly migrate to ports version of > > heimdal as database isn't compatible (unless something has changed in > > the past 15 years I've used kerberos). >=20 > That's certainly true. >=20 > > I guess that kerberos is still used a bit at some Colleges or old > > corporation that haven't moved from it but is it relevant for us to > > still include kerberos in base ? >=20 > The kdc is only one component of Kerberos. While using Kerberos alone=20 > is certainly increasingly niche, many organisations use it in=20 > combination with LDAP (e.g. Microsoft Active Directory). >=20 > We need the Kerberos libraries in the base system for GSSAPI. It's more= =20 > effort not to include the kdc and the utilities (kinit, kadmin,=20 > ktutil,...) than including them. Is there a written proposal for this switch ? I can't seems to understand how it's useful to not include the utilities in base (I understand for kdc). If I need kerberos to login in my env I would need to pkg install heimdal/mit so I might as well pkg install openssh-portable && pkg delete FreeBSD-openssh so I have a kerberos aware ssh. Please be aware that we're pushing pkgbase use so we will have a lot more flexibility to have a tool installed or not. > > OpenSSH-portable/curl and anything else in ports could be moved to use > > MIT/Heimdal from ports (based on some options and/or subpackages if > > that is possible). >=20 > OpenSSH in base still needs to support GSSAPI. >=20 > Philip >=20 --=20 Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240205081700.d0030024eb83f7ccbfd72b3e>