After creating the GL550 I've developed an appreciation for some of the "it's nice to work on" features of Heimdal that MIT Kerberos lacks such as readline support, GNU or GNU-like getopts support, less commands that require interactivity, and friendly interfaces for those that do. Many of the command line tools have saner defaults such as telnet requesting Kerberos authentication and encryption by default. The use of the -l switch to kadmin instead of a separate kadmin.local binary strikes me as more elegant as well.
Heimdal also has an interesting protocol encapsulation mode that lets clients communicate with the KDC over HTTP on port 80 (and also HTTP proxy support). This would be helpful for roadwarriors behind filtering firewalls that would otherwise block the normal Kerberos UDP port 88 traffic.
Unfortunately the kadmin protocol was never codified as a standard so a Heimdal kadmind daemon must be connected to with a Heimdal kadmin client.
It also bears mentioning that while I can appreciate the technical merits of Heimdal, I was less than impressed in how SUSE implemented it and integrated into their distro. The main warts are:
- All heimdal binaries installed under /usr/lib
- Only a single SysV init script for all daemons even though some daemons are only appropriate on a master or slave.
- No /etc/xinet.d/ files for the Kerberized telnet, ftp (and friends) daemons
- No SysV init script (or alternatively xinetd script) at all the for the propogation daemon that should run on slaves
- Kerberized replacements for telnet, ftp and other clients are not in the $PATH (first in the $PATH) by default. This should be implemented via a /etc/profile.d/kerberos file.
- The YaST kerberos_client module doesn't support more than one KDC and will mangle an existing correct /etc/krb5.conf if it has more than one KDC defined.
I reported these bugs to SUSE but I never heard anything back. It appears their bugzilla is not visable to outsiders so I have no way of knowing if the bugs are being acted on or ignored.
