12

So I'm setting up a small network with all the standard stuff (files, email, etc.) and I've decided to go with a Kerberos+LDAP solution. Any ideas or recommendations on Heimdal vs. MIT?

I've used MIT before, and tangentially Heimdal, but I don't really know of any real reason for using one over the other. I just know that I'd prefer not to realize I'd rather be running MIT after getting the whole Heimdal up and running with a full user database.

If any other info'd be useful, I'm happy to provide.

Michael Lowman
  • 3,584
  • 19
  • 36

5 Answers5

4

MIT Kerberos is well supported. It is the reference implementation and default on RedHat and I believe Debian as well. OTOH, Heimdal had slightly nicer administration tools IIRC, but I've gone with MIT.

ptman
  • 27,124
  • 2
  • 26
  • 45
3

I would tend to answer, "whichever one is provided by your distribution", unless there are particular features you need that are only available in one or the other. For example, Heimdal lets you use an LDAP directory as your keystore, which may be attractive in a larger organization (since you can store Kerberos credentials and other user information in the same place).

larsks
  • 41,276
  • 13
  • 117
  • 170
  • Well, my distro's Gentoo. so that's both :) and MIT can do the same, but I'm planning on using local database files anyways – Michael Lowman Jan 09 '11 at 04:36
3

According to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html

Kerberos is both the name of a network authentication protocol and an adjective to describe programs that implement the program (Kerberos telnet, for example). The current version of the protocol is version 5, described in RFC 1510.

Several free implementations of this protocol are available, covering a wide range of operating systems. The Massachusetts Institute of Technology (MIT), where Kerberos was originally developed, continues to develop their Kerberos package. It is commonly used in the US as a cryptography product, as such it has historically been affected by US export regulations. The MIT Kerberos is available as a port (security/krb5). Heimdal Kerberos is another version 5 implementation, and was explicitly developed outside of the US to avoid export regulations (and is thus often included in non-commercial UNIX® variants). The Heimdal Kerberos distribution is available as a port (security/heimdal), and a minimal installation of it is included in the base FreeBSD install.

In order to reach the widest audience, these instructions assume the use of the Heimdal distribution included in FreeBSD.

So it is also a law matter...

plluksie
  • 458
  • 3
  • 10
  • Well... I don't live in Iran, North Korea, or any other country considered a terrorist state and therefore subject to export control regulations. Other than that restriction, there haven't been that kind of export control restrictions on strong crypto since [1996](http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1996_register&docid=fr19no96-98.pdf). Maybe my question would be better phrased, "Is the only reason to use Heimdal or Kerberos supporting a legacy system from when only Heimdal was legal?" – Michael Lowman Jan 09 '11 at 16:08
2

Heimdal is/will be integrated with Samba 4 in its Active Directory implementation.

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
  • Could you provide exact source? – plluksie Jan 09 '11 at 15:38
  • 1
    as far as I can tell from random googling, Samba4 currently has heimdal integrated in [the source tree](http://gitweb.samba.org/?p=samba.git;a=tree;f=source4;h=d2d5a195ed89f8cd68f945c7e935f86b9ba138c0;hb=refs/heads/master). It does look like there's an [effort](http://samba.org/~idra/blog/id_005.html) to make it [mit compatible](http://wiki.samba.org/index.php/Samba4/MIT_KDC), and idk how far that's got. Still, looks like that included heimdal and ldap's here to stay. Thanks! – Michael Lowman Jan 09 '11 at 16:27
0

Heimdal is the implementation of Kerberos5 that FreeBSD uses. It and the MIT implementation are also available in the ports collection.

Utkonos
  • 332
  • 3
  • 12