Kerberos support in Thunderbird
Sam Hartman
hartmans at MIT.EDU
Wed Sep 14 19:09:49 EDT 2005
>>>>> "Jim" == Jim Alexander <jalex at cis.upenn.edu> writes:
Jim> In article <43259153.6060500 at sxw.org.uk>,
Jim> Simon Wilkinson <simon at sxw.org.uk> wrote:
Jim> ]At the moment, if the 'Use Secure Authentication' option is
Jim> set for a ]given protocol, the server at the other end offers
Jim> GSSAPI as one of its ]supported SASL mechanisms, and the
Jim> first call to init_secure_context for ]that server succeeds,
Jim> we'll try to do GSSAPI auth against that server. ]If GSSAPI
Jim> fails, then we'll fall back to trying a different
Jim> ]authentication scheme.
Jim> This isn't a correct implementation, then. IMAP "secure
Jim> authentication" is supposed to enable non-cleartext
Jim> authentication when lower-level encryption isn't
Jim> available. It makes no sense to have this enabled to enable
Jim> kerberos auth. You need to be able to separately specify
Jim> that you want kerberos authentication, on a per-account
Jim> basis, without the "Use Secure Authentication" option
Jim> enabled. Since our server does not support secure
Jim> authentication, your implementation does the following right
Jim> now:
sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
definition of IMAP secure authentication.
Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
Jim> a "your server does not support secure authentication"
Jim> dialog. My key manager never prompts me to obtain a ticket.
On Mac and Windows this is not at all what I'd expect. I'd expect you
to be prompted to get tickets.
--Sam
More information about the Kerberos
mailing list