Kerberos support in Thunderbird

Simon Wilkinson simon at sxw.org.uk
Mon Sep 12 10:31:47 EDT 2005


Jeffrey Altman wrote:
> For e-mail, I believe that you really want the ability to specify
> in the account setup the Kerberos principal name that should be used
> for the client.

There's not much intelligence in the code at the moment - it will use
whatever the default principal in the current credentials cache is. To
give some background - I implemented the SASL/GSSAPI support on top of
the existing GSSAPI support that's used for NegotiateAuth in Firebird.
Some things (like disabling the credentials prompting support under Mac
OS X), come from the heritage of this underlying module.

> On Mac OS X and with KFW on Windows, you may also want to specify the
> name of the ccache to use.

How do you do this from within the GSSAPI?

> What test is Thunderbird using to determine whether or not GSSAPI
> authentication should be negotiated for a given account?

At the moment, if the 'Use Secure Authentication' option is set for a
given protocol, the server at the other end offers GSSAPI as one of its
supported SASL mechanisms, and the first call to init_secure_context for
that server succeeds, we'll try to do GSSAPI auth against that server.
If GSSAPI fails, then we'll fall back to trying a different
authentication scheme.

Cheers,

Simon.


More information about the Kerberos mailing list