cyrus-imapd and kerberos

Alec Kloss alec-keyword-sasl.b63ee0 at SetFilePointer.com
Thu Feb 11 07:25:36 EST 2010 

On the heimdal-discuss mailing list, the patch below has been
pretty heavily discussed:

On 2010-01-18 07:37, Alec Kloss wrote:
> On 2010-01-17 23:56, Jeffrey Hutzelman wrote:
> > --On Saturday, January 16, 2010 12:43:00 PM -0500 Ken Raeburn 
> > <raeburn at MIT.EDU> wrote:
> > 
> > >but I haven't tweaked the server side to see if the Cyrus IMAP server
> > >will accept a service principal name that isn't the one generated from
> > >the local host name.)
> > 
> > Cyrus SASL, and thus the Cyrus IMAP server, can be configured to accept a 
> > service principal name generated from an arbitrary hostname; it need not be 
> > the same as the host's actual name.  However, it cannot be configured to 
> > accept multiple SPN's, or "any SPN for which I have a keytab entry", or 
> > anything useful like that.  That is, it insists on building a service name 
> > and obtaining a credental for a specific service, rather than simply using 
> > CSS_C_NO_CREDENTIAL like all right-thinking acceptors.
> > 
> > :-(
> > 
> 
> Anyone have comments about this patch to SASL?
> 
> 
> --- ./plugins/gssapi.c.orig	2008-09-11 15:13:32.000000000 -0500
> +++ ./plugins/gssapi.c	2008-10-30 12:33:48.000000000 -0500
> @@ -693,7 +693,7 @@
>  	    
>  	    GSS_LOCK_MUTEX(params->utils);
>  	    maj_stat = gss_acquire_cred(&min_stat, 
> -					text->server_name,
> +					GSS_C_NO_NAME,
>  					GSS_C_INDEFINITE, 
>  					GSS_C_NO_OID_SET,
>  					GSS_C_ACCEPT,
> 
> -- 
> Alec Kloss  alec at SetFilePointer.com   IM: daemonalec at gmail.com
> PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
> "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon


No one there has come up with a compelling argument why it
shouldn't be applied to SASL in general, perhaps enhanced to allow
an administrator to specify a specific name to override the new
default of GSS_C_NO_NAME..

Thoughts?

-- 
Alec Kloss  alec at SetFilePointer.com   IM: daemonalec at gmail.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100211/e3314273/attachment.bin

More information about the Cyrus-sasl mailing list