|
Kerberos for Macintosh Product Overview |
Kerberos for Macintosh (KfM) is the reference implementation of the Kerberos authentication system for Mac OS X. KfM provides support for both Kerberos protocol versions, all the major Kerberos APIs and wraps it all into a simple Macintosh package with support for Mac OS X, as well as legacy support for Mac OS 8 & 9 and the Classic environment under Mac OS X.
Under the hood, Kerberos for Macintosh provides Kerberos v5 and Kerberos v4 protocols, GSSAPI, an in-memory ticket cache, KClient compatibility and a graphical Login interface and accompanying API for acquiring Kerberos tickets.
As result of a partnership between MIT and Apple, full Kerberos for Macintosh releases have been included in Mac OS X since 10.2 (Jaguar) which included KfM 4.5.1. The current release is KfM 5.5 and ships with Mac OS X 10.4 (Tiger). The previous release was KfM 5.0.1 and shipped with Mac OS X 10.3 (Panther). The last release of Mac OS X 10.1, Mac OS 8 & 9 and the Classic environment of Mac OS X was KfM 4.0.3.
The Mac OS X Kerberos Extras for 10.2 through 10.4 are available from MIT.
Key Features of Kerberos for Macintosh 5.5
- General
- Native Mac OS X-only implementation of KfM Kerberos libraries provided as a framework
- Support for Unix applications via /usr/lib
- CFM bridge libraries provide support to Carbon CFM applications (only available in Mac OS X Kerberos Extras)
- Support for Kerberos during remote connections
- Basic command-line tools: kinit, kdestroy, klist, kpasswd, kswitch
- Standard MIT KDC and related daemons ships with both Mac OS X Server and client
- kadmin, ktutil tools included
- Kerberos Application
- Native Cocoa version for Mac OS X
- User tool for acquiring, renewing and deleting both v4 and v5 tickets
- Allows multiple credentials including credentials from different realms
- Allows user to change the active credentials
- Principals with both v4 and v5 tickets viewed as a single user
- Can auto-renew renewable tickets
- Configures defaults for Kerberos Login dialog
- Configures realms presented in Kerberos Login dialog
- Allows user to change their Kerberos password
- Information window for displaying the details of individual tickets
- Expanded Preferences dialog for changing extra UI elements and ticket lifetimes
- Realms editor for changing the Kerberos realm configuration
- Dock icon provides indication of ticket status and remaining lifetime
- Pop-up menu from dock icon provides convenient acquisition, deletion and renewal of tickets, and allows easy switching between active users
- Kerberos v5 and GSS Support
- Includes MIT Kerberos v5 1.4
- Library support for multithreaded applications
- Credentials stored in memory
- Integration with Kerberos Login Library (KLL) to present authentication dialog automatically
- Supports 3DES
- krb524 support
- Provides support for hardware preauthentication
- Support for DNS lookups of KDC
- Kerberos v4 and KClient Support
- KClient 3.0 API maintains compatibility with existing KClient applications
- KClient 3.0 API includes compatibility and revised developer libraries as part of the Kerberos framework
- Kerberos v4 implementation now based on MIT's core v4 compatibility library
- Credentials stored in memory
- Kerberos Authentication Dialog
- Dialog and icons designed by Apple
- Provides a single UI for acquiring v4, v5 and simultaneous v4 and v5 tickets
- Allows selection of realm per login, and entry of DNS realms
- Allows change in length of credential life per login
- Allows selection of Kerberos v5 ticket flags per login
Minimum System Requirements for Kerberos for Macintosh 5.5
- A PowerPC Macintosh G3 or better
- Mac OS X 10.4 (KfM is included with the operating system)
Useful Webpages