Kerberos Digest, Vol 33, Issue 10

Barfield Steve Steve.Barfield at uk.fujitsu.com
Mon Sep 12 12:15:52 EDT 2005 

Please can you tell what jar file the following class is in
com.sun.security.auth.module.Krb5LoginModule

-----Original Message-----
From: kerberos-request at mit.edu [mailto:kerberos-request at mit.edu] 
Sent: 12 September 2005 17:02
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 33, Issue 10

Send Kerberos mailing list submissions to
	kerberos at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
	kerberos-request at mit.edu

You can reach the person managing the list at
	kerberos-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   1. Re: Kerberos support in Thunderbird (Markus Moeller)
   2. Re: Kerberos support in Thunderbird (Mark Sirota)
   3. Re: Kerberos support in Thunderbird (Jim Alexander)
   4. Key size is incompatible (Ryan Olejnik)
   5. Re: Kerberos support in Thunderbird (Jeffrey Altman)
   6. Re: Kerberos support in Thunderbird (Simon Wilkinson)
   7. Re: Kerberos support in Thunderbird (Jeffrey Altman)


----------------------------------------------------------------------

Date: Sun, 11 Sep 2005 18:27:26 +0100
From: "Markus Moeller" <huaraz at moeller.plus.com>
To: kerberos at mit.edu
Subject: Re: Kerberos support in Thunderbird
Message-ID: <dg1pba$dbf$1 at sea.gmane.org>
References: <4322B523.4010102 at sxw.org.uk>
Precedence: list
Message: 1

Simon,

is there also somewhere a documentation of how to enable it ? I didn't see
any option when setting up an account nor for an outgoing smtp server.

Thank you
Markus


"Simon Wilkinson" <simon at sxw.org.uk> wrote in message 
news:4322B523.4010102 at sxw.org.uk...
> The Thunderbird beta (1.5b1) that was released yesterday contains new
> support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
> servers.
>
> It would be really good to get some test coverage against different
> servers, and in different environments. I originally wrote and tested
> the code against the U-W IMAP server - it's also been tested against
> various servers using Cyrus SASL for their GSSAPI support.
>
> The beta can be downloaded from
> http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
>
> Cheers,
>
> Simon.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



------------------------------

Date: Sun, 11 Sep 2005 19:28:13 -0400
From: Mark Sirota <msirota at isc.upenn.edu>
To: Markus Moeller <huaraz at moeller.plus.com>, kerberos at mit.edu
Subject: Re: Kerberos support in Thunderbird
Message-ID: <E4B250338BC5DF116CC6C312@[10.0.1.2]>
In-Reply-To: <dg1pba$dbf$1 at sea.gmane.org>
References: <4322B523.4010102 at sxw.org.uk> <dg1pba$dbf$1 at sea.gmane.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Message: 2

--On Sunday, September 11, 2005 6:27 PM +0100 Markus Moeller 
<huaraz at moeller.plus.com> wrote:
> is there also somewhere a documentation of how to enable it ? I didn't
> see any option when setting up an account nor for an outgoing smtp
> server.

Make sure "Use Secure Authentication" is checked in the "Security
Settings" tab for IMAP and POP (the "Never" radio button for secure
connection works just fine). Nothing special needs to be done for SMTP
(if Kerberos tokens exist, SMTP will take advantage of the credentials if
possible).

For Windows, a special pref needs to be set to get MIT's Kerberos
For Windows (and it's GSSAPI library) used instead of Microsoft's
sspi.

This line:

user_pref("network.auth.use-sspi", false);

Needs to be put into a user's "prefs.js" in their user profile dir,
or use options | advanced | config to change the pref.

Mark
-- 
Mark Sirota, Associate Director, Network Engineering and Services
University of Pennsylvania, Information Systems and Computing
msirota at isc.upenn.edu, 215/573-7214
------------------------------

Date: Sun, 11 Sep 2005 17:05:01 +0000 (UTC)
From: jalex at cis.upenn.edu (Jim Alexander)
To: kerberos at MIT.EDU
Subject: Re: Kerberos support in Thunderbird
Message-ID: <dg1o3t$d21g$1 at netnews.upenn.edu>
References: <4322B523.4010102 at sxw.org.uk>
Precedence: list
Message: 3

In article <4322B523.4010102 at sxw.org.uk>,
Simon Wilkinson <simon at sxw.org.uk> wrote:
]The Thunderbird beta (1.5b1) that was released yesterday contains new
]support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
]servers.
]
]It would be really good to get some test coverage against different
]servers, and in different environments. I originally wrote and tested
]the code against the U-W IMAP server - it's also been tested against
]various servers using Cyrus SASL for their GSSAPI support.
]
]The beta can be downloaded from
]http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html

I'd love to try this out, but I cannot find information on how to
make GSSAPI the default auth for IMAP and SMTP. There's nothing in
the GUI, nor anything obvious in about:config. I assume there's a
hidden pref, but googling and searching the relevant bugs in bugzilla
for it has come up empty. Is this documented anywhere?

(As a side note, it seems pretty odd to trumpet "Kerberos Authentication"
as one of big new features of 1.5 when there's no obvious way of activating
it!)

-- 

________ Jim Alexander __________________ jalex at cis.upenn.edu
________________
I have yet to see a problem, however complicated, which, when you looked at
it
in the right way, did not become still more complicated.      -- Poul
Anderson
------------------------------

Date: Sun, 11 Sep 2005 22:19:45 -0500
From: Ryan Olejnik <ryno at psychofuture.net>
To: kerberos at mit.edu
Subject: Key size is incompatible
Message-ID: <20050912031945.GA2651 at psychofuture.net>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Message: 4

hello,

does anyone know what might cause this problem:
kinit: krb5_get_init_creds: Key size is incompatible with encryption type

I am only running a master KDC, so that rules out a problem with the slave.

thanks,
ryan olejnik
------------------------------

Date: Mon, 12 Sep 2005 13:53:22 GMT
From: Jeffrey Altman <jaltman2 at nyc.rr.com>
To: kerberos at MIT.EDU
Subject: Re: Kerberos support in Thunderbird
Message-ID: <mLfVe.31245$%w.20422 at twister.nyc.rr.com>
References: <4322B523.4010102 at sxw.org.uk> <dg1pba$dbf$1 at sea.gmane.org>
	<E4B250338BC5DF116CC6C312@[10.0.1.2]>
Precedence: list
Message: 5

Mark Sirota wrote:
> Make sure "Use Secure Authentication" is checked in the "Security
> Settings" tab for IMAP and POP (the "Never" radio button for secure
> connection works just fine). Nothing special needs to be done for SMTP
> (if Kerberos tokens exist, SMTP will take advantage of the credentials if
> possible).

Mark:

For e-mail, I believe that you really want the ability to specify
in the account setup the Kerberos principal name that should be used
for the client.

On Mac OS X and with KFW on Windows, you may also want to specify the
name of the ccache to use.

On Mac OS X and KFW, the Kerberos libraries will prompt the user for
credentials if there are not any.

What test is Thunderbird using to determine whether or not GSSAPI
authentication should be negotiated for a given account?

> For Windows, a special pref needs to be set to get MIT's Kerberos
> For Windows (and it's GSSAPI library) used instead of Microsoft's
> sspi.
> 
> This line:
> 
> user_pref("network.auth.use-sspi", false);
> 
> Needs to be put into a user's "prefs.js" in their user profile dir,
> or use options | advanced | config to change the pref.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
------------------------------

Date: Mon, 12 Sep 2005 15:31:47 +0100
From: Simon Wilkinson <simon at sxw.org.uk>
To: Jeffrey Altman <jaltman2 at nyc.rr.com>
Cc: kerberos at mit.edu
Subject: Re: Kerberos support in Thunderbird
Message-ID: <43259153.6060500 at sxw.org.uk>
In-Reply-To: <mLfVe.31245$%w.20422 at twister.nyc.rr.com>
References: <4322B523.4010102 at sxw.org.uk> <dg1pba$dbf$1 at sea.gmane.org>
	<E4B250338BC5DF116CC6C312@[10.0.1.2]>
	<mLfVe.31245$%w.20422 at twister.nyc.rr.com>
Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Message: 6

Jeffrey Altman wrote:
> For e-mail, I believe that you really want the ability to specify
> in the account setup the Kerberos principal name that should be used
> for the client.

There's not much intelligence in the code at the moment - it will use
whatever the default principal in the current credentials cache is. To
give some background - I implemented the SASL/GSSAPI support on top of
the existing GSSAPI support that's used for NegotiateAuth in Firebird.
Some things (like disabling the credentials prompting support under Mac
OS X), come from the heritage of this underlying module.

> On Mac OS X and with KFW on Windows, you may also want to specify the
> name of the ccache to use.

How do you do this from within the GSSAPI?

> What test is Thunderbird using to determine whether or not GSSAPI
> authentication should be negotiated for a given account?

At the moment, if the 'Use Secure Authentication' option is set for a
given protocol, the server at the other end offers GSSAPI as one of its
supported SASL mechanisms, and the first call to init_secure_context for
that server succeeds, we'll try to do GSSAPI auth against that server.
If GSSAPI fails, then we'll fall back to trying a different
authentication scheme.

Cheers,

Simon.
------------------------------

Date: Mon, 12 Sep 2005 15:13:27 GMT
From: Jeffrey Altman <jaltman2 at nyc.rr.com>
To: kerberos at MIT.EDU
Subject: Re: Kerberos support in Thunderbird
Message-ID: <rWgVe.31254$%w.4370 at twister.nyc.rr.com>
References: <4322B523.4010102 at sxw.org.uk> <dg1pba$dbf$1 at sea.gmane.org>
	<E4B250338BC5DF116CC6C312@[10.0.1.2]><43259153.6060500 at sxw.org.uk>
Precedence: list
Message: 7

Simon Wilkinson wrote:

>>On Mac OS X and with KFW on Windows, you may also want to specify the
>>name of the ccache to use.
> 
> 
> How do you do this from within the GSSAPI?

At the moment, via the KRB5CCNAME environment variable.
(Yes, I know, its not thread safe to do so)

>>What test is Thunderbird using to determine whether or not GSSAPI
>>authentication should be negotiated for a given account?
> 
> 
> At the moment, if the 'Use Secure Authentication' option is set for a
> given protocol, the server at the other end offers GSSAPI as one of its
> supported SASL mechanisms, and the first call to init_secure_context for
> that server succeeds, we'll try to do GSSAPI auth against that server.
> If GSSAPI fails, then we'll fall back to trying a different
> authentication scheme.

This can end up causing some problems for end users.  It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because the principal used is not the one which has authorization for
accessing the mailbox.

At the very least I think that users need to have the ability to
disable the use of GSSAPI on a per mailbox basis until such time as
we have better client principal selection algorithms in place.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
------------------------------

_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


End of Kerberos Digest, Vol 33, Issue 10
****************************************

More information about the Kerberos mailing list