Kerberos support in Thunderbird

Jim Alexander jalex at cis.upenn.edu
Mon Sep 12 18:08:19 EDT 2005


In article <43259153.6060500 at sxw.org.uk>,
Simon Wilkinson <simon at sxw.org.uk> wrote:
]At the moment, if the 'Use Secure Authentication' option is set for a
]given protocol, the server at the other end offers GSSAPI as one of its
]supported SASL mechanisms, and the first call to init_secure_context for
]that server succeeds, we'll try to do GSSAPI auth against that server.
]If GSSAPI fails, then we'll fall back to trying a different
]authentication scheme.

This isn't a correct implementation, then. IMAP "secure authentication" is
supposed to enable non-cleartext authentication when lower-level encryption
isn't available. It makes no sense to have this enabled to enable
kerberos auth.  You need to be able to separately specify that you want
kerberos authentication, on a per-account basis, without the "Use Secure
Authentication" option enabled. Since our server does not support secure
authentication, your implementation does the following right now:

(a) If I already have a kerberos ticket in my cache, I get my mail as
    expected.

(b) If my ticket cache is empty, Thunderbird correctly posts a "your server
    does not support secure authentication" dialog. My key manager never
    prompts me to obtain a ticket.

You also need to be able to explicitly select (or deselect) kerberos auth
because the server has a preferential list of authentication methods that
may not match the client's needs. I want to force kerberos auth, and others
may want to do, say, CRAM-MD5, if available, even if kerberos is preferred.

Finally, whatever method is being used to offer kerberos authentication for
SMTP completely doesn't work for me, either, regardless of whether I have
tickets in my cache or not. I get a "relaying denied" error, so GSSAPI auth
is clearly not working, even though the server very clearly offers it, and
indeed it works fine with Apple's Mail and Mulberry.  Can someone say
more about how the SMTP code decides to use GSSAPI or not? I bet this
is another case where you need to be able to explicitly select your
authentication method for each server, just like with IMAP. Every other
mail client I've used does it that way.

-- 

________ Jim Alexander __________________ jalex at cis.upenn.edu ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson


More information about the Kerberos mailing list