What are the relative advantages of Heimdal and MIT Kerberos now MIT is freely exportable? Ones I've come across so far that might be relevant to my particular project is that it seems MIT supports constrained delegation in the GSS-API layer and Heimdal doesn't yet, and that Heimdal has a --with-openssl config option that makes it easy to use a version of OpenSSL other than the system default. Either can be worked around. I've found mailing list comments suggesting that Heimdal's thread safety is better, but they are fairly dated.
2
-
I suspect but cannot prove there are still political concerns. For instance despite MIT being now free to distribute K online, export to the seven (eight?) watchlist nations is probably still illegal (or at least problematic) whereas people in those embargoed countries could get heimdal without those difficulties.– adricCommented Jan 13, 2014 at 19:20
-
True, it's not completely freely exportable, just much much more so than in the 1990s. en.wikipedia.org/wiki/… en.wikipedia.org/wiki/… The still embargoed countries are (I think) Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria (though also I've seen lists which omit Iraq ans Libya - the US government page cited is 404 and I haven't bothered to track down where it moved to) cryptolaw.org/cls2.htm#us_terror– armbCommented Jan 14, 2014 at 8:57
Add a comment
|
1 Answer
In my case, part of the answer turns out to be "Heimdal's kadmin supports adding constrained delegation attributes, MIT doesn't support constrained delegation with the default backend and requires you to modify the LDAP database directly if you use the LDAP backend".
I'd still be interested in learning of other people's opinions or experiences.
-
1On the other hand, MIT still has regular releases, Heimdal's last public one was 2012 - cf. h5l.org/releases.html web.mit.edu/kerberos– armbCommented Feb 5, 2016 at 10:49
-
Heimdal had a major new release on 2016-12-22 h5l.org/releases.html?show=7.1.0– armbCommented Mar 6, 2017 at 15:31