XMPP & Kerberos 5
Greg Hudson
ghudson at MIT.EDU
Mon Nov 30 07:59:53 EST 2009
On Mon, 2009-11-30 at 04:25 -0500, Oliver Schmidt wrote:
> Unfortunately, I failed using an GSSAPI patch for eJabberd together with
> my Kerberos system. After that, I tried using Openfire, which didn't work
> out for me either. Now, that I've read about that institution-wide XMPP
> service the MIT offers, I know that XMPP _must_ work with Kerberos
> somehow. Can you tell me how you set it up and, respectively, which
> software you did use?
MIT uses Openfire. I did the initial setup. You might take a look at:
http://itlab.stanford.edu/blog/archives/2009/test-services/openfire-and-kerberos-implementation-notes
The most complicated part comes if you want to allow people to log in
with passwords over TLS (since many XMPP clients do not have GSSAPI
support) and check those passwords against the KDC. Openfire does not
have native support for that, but it can be done via an authentication
plugin. I wrote a module to do so using Sun's JAAS; the code is
referenced in the URL above, but here's a direct link (which also has
our configuration files):
http://web.mit.edu/afs/dev.mit.edu/project/jabber/src/mitopenfire/
Please be aware that the password-checking code is not entirely secure.
A proper krb5 authentication module uses a service key (such as a host
key) to verify the returned TGT, in order to prevent an attacker from
spoofing the KDC. Unfortunately, the JAAS Krb5LoginModule does not
contain this functionality.
More information about the Kerberos
mailing list