XMPP & Kerberos 5
Garrett Wollman
wollman at bimajority.org
Mon Nov 30 13:49:54 EST 2009
In article <mailman.32.1259603328.4612.kerberos at mit.edu>,
Russ Allbery <rra at stanford.edu> wrote:
>The correct way of using Kerberos is for the user's credentials to never
>leave the local system. In practice, it's an ideal that usually can't be
>reached, but every place where the Kerberos password leaves the local
>system and is validated on a remote system is a place that's going to
>break when you want to switch to something better than passwords, such as
>smart-card authentication.
On our systems, we require users to have two distinct passwords: their
Kerberos password, which is only used for login-equivalent
authentication and certificate generation, and their "email" password,
which is used by the IMAP server (Cyrus), the outgoing mail relay
(Exim), and the XMPP server (eJabberd). Doing this for IMAP was
necessary in order to support webmail, and having done so, it made
sense to piggyback other applications requiring non-login password
authentication on the IMAP passwords. I don't know how many users
have ended up changing their two passwords to be the same (we
discourage that but we don't have a mechanism to prevent it), but we
ensure that they at least start out different.
Since no commonly-used XMPP clients support GSSAPI authentication, we
have not looked seriously at supporting it on the server side. We do
support it for email.
-GAWollman
(in this case writing from, but not for, MIT CSAIL)
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wollman at bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993
More information about the Kerberos
mailing list