Projects / Heimdal


Heimdal is an implementation of Kerberos 5 that aims to be protocol compatible with existing implementations and RFC 4120. It supports Kerberos V5 over GSS-API (RFC 1964) and PK-INIT (smartcard support) for Kerberos, and includes a number of important and useful applications (rsh, telnet, popper, etc.). Heimdal also contains an ASN.1 compiler, X.509 library, and NTLM (v1 and v2) library.

Recent releases

  •  08 May 2008 20:23

    Release Notes: Read-only PKCS11 provider is built in to hx509. Documentation for hx509, hcrypto, and ntlm libraries was improved. Better compatibilty with Windows 2008 Server pre-releases and Vista. Mac OS X 10.5 support for native credential cache. A pkg-config file for Heimdal (heimdal-gssapi.pc). Several bugs were fixed.

    •  09 Aug 2007 15:30

      Release Notes: Several bugs in iprop were fixed. Platforms without dlopen are now supported. RFC3526 modp group14 is now included by default. [kdc] database = { } entries are now handled without realm = stanzas. krb5_get_renewed_creds and kaserver preauth were fixed along with other bugs.

      •  05 Aug 2007 23:39

        Release Notes: A new gss_pseudo_random() function for mechglue and krb5 has been added, and the session key for the krbtgt is now selected by the client's best encryption type. Interoperability with other PK-INIT implementations has improved, and there is inital support for Mac OS X Keychain for hx509, as well as alias support for inital ticket requests. Symbol versioning has been added to selected libraries on platforms that use the GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. A new version of imath is included in hcrypto. Some memory leaks and other bugs were also fixed.

        •  13 Jan 2007 15:02

          Release Notes: This release fixes a security problem in rshd that enabled an attacker to overwrite and change ownership of any file that root could write. It fixes a DOS in telnetd. It makes gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. (This allows servers to check if it's even possible to use GSSAPI.) It fixes the receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending, for compatibility reasons. telnetd, login, and rshd are now more verbose in logging failed and successful logins.

          •  02 Jul 2004 08:19

            Release Notes: This release features security fixes and new functionality.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.