Kerberos support in Thunderbird

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Sep 12 11:13:27 EDT 2005


Simon Wilkinson wrote:

>>On Mac OS X and with KFW on Windows, you may also want to specify the
>>name of the ccache to use.
> 
> 
> How do you do this from within the GSSAPI?

At the moment, via the KRB5CCNAME environment variable.
(Yes, I know, its not thread safe to do so)

>>What test is Thunderbird using to determine whether or not GSSAPI
>>authentication should be negotiated for a given account?
> 
> 
> At the moment, if the 'Use Secure Authentication' option is set for a
> given protocol, the server at the other end offers GSSAPI as one of its
> supported SASL mechanisms, and the first call to init_secure_context for
> that server succeeds, we'll try to do GSSAPI auth against that server.
> If GSSAPI fails, then we'll fall back to trying a different
> authentication scheme.

This can end up causing some problems for end users.  It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because the principal used is not the one which has authorization for
accessing the mailbox.

At the very least I think that users need to have the ability to
disable the use of GSSAPI on a per mailbox basis until such time as
we have better client principal selection algorithms in place.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list