Is it required to use GSSAPI code for the Kerberos Server Auth?

Richard E. Silverman res at qoxp.net
Fri Mar 24 01:24:14 EST 2006 

http://www.rfc-archive.org/getrfc.php?rfc=1964

> While sending the AP_REQ packet to SMTP server, should we add GSSAPI
> information? Basically, I am sending the
> - Service ticket and
> - Authenticatior information in the AP_REQ packet. With this information,
> the SMT server is saying, unknown data?
>
> Is it required to add some GSSAPI header information to the AP_REQ packet?
> What GSSAPI should I use to make the correct AS_REQ packet?

This is very confusing; are you just sending binary Kerberos tokens
(BER-encoded ASN.1 as defined in RFC 1510) directly over an SMTP
connection?  That makes no sense; they are not part of the SMTP protocol.

The only way I know of to do Kerberos-5 authentication over SMTP is via
the SASL GSSAPI mechanism, e.g.:

  S: 220 server ESMTP Sendmail 8.13.4/8.13.4/Debian-3
  C: EHLO client
  S: 250-server Hello client [192.168.10.1], pleased to meet you
  S: 250-ENHANCEDSTATUSCODES
  S: 250-PIPELINING
  S: 250-8BITMIME
  S: 250-SIZE
  S: 250-DSN
  S: 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
  S: 250-STARTTLS
  S: 250-DELIVERBY
  S: 250 HELP
  C: AUTH GSSAPI YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCA...
  S: 334 YIGWBgkqhkiG9xIBAgICAG+BhjCBg6ADAgEFoQMCAQ+idzB1oAMCA...
  C: 
  S: 334 YD8GCSqGSIb3EgECAgIBBAD/////NjquIGKmcwGEBpaxka32hdsjW...
  C: YD8GCSqGSIb3EgECAgIBBAD/////Na98BB7CsN66s7du++Yd/T4gnuWH9...
  S: 235 2.0.0 OK Authenticated
  Authenticated.
  Security strength factor: 56
  C: QUIT

These messages are base64 encoded GSSAPI/Kerberos messages as defined in
RFC 1964.

> POINT#2:
> =======
> If we use GSSAPI code, everything will be taken by that. All  *_REQ and _REP
> packets will be sent and processed. Can't we plugin our processed AS_REQ,
> AS_REP, TGS_REQ and TGS_REP packets in to that?

Why would you want to, if the GSSAPI library accomplishes your goal?  The
whole point is abstraction.

Anyway, if you've gotten as far as doing this much of the Kerberos
protocol yourself, it's not much more work to do the GSSAPI / SASL
encoding too and implement the exchange you see above, if you really want
to. 

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list