XMPP & Kerberos 5
Shumon Huque
shuque at isc.upenn.edu
Mon Nov 30 15:03:30 EST 2009
On Mon, Nov 30, 2009 at 07:59:53AM -0500, Greg Hudson wrote:
> MIT uses Openfire. I did the initial setup. You might take a look at:
>
> http://itlab.stanford.edu/blog/archives/2009/test-services/openfire-and-kerberos-implementation-notes
>
> The most complicated part comes if you want to allow people to log in
> with passwords over TLS (since many XMPP clients do not have GSSAPI
> support) and check those passwords against the KDC. Openfire does not
> have native support for that, but it can be done via an authentication
> plugin. I wrote a module to do so using Sun's JAAS; the code is
> referenced in the URL above, but here's a direct link (which also has
> our configuration files):
>
> http://web.mit.edu/afs/dev.mit.edu/project/jabber/src/mitopenfire/
>
> Please be aware that the password-checking code is not entirely secure.
> A proper krb5 authentication module uses a service key (such as a host
> key) to verify the returned TGT, in order to prevent an attacker from
> spoofing the KDC. Unfortunately, the JAAS Krb5LoginModule does not
> contain this functionality.
Generally, my sentiments are in agreement with Russ Alberry about not
violating the Kerberos security module, and trying to use native Kerberos
authentication as widely as possible, rather than using Kerberos as a
glorified password verification backend ...
So, I hate to admit this, but we too allow password-over-SSL
authentication on our XMPP servers (in addition to SASL/GSSAPI).
We do use Openfire, but rejected Sun's JAAS precisely because of
the security issue (lack of verification of the KDC response with
a stored service key). Instead, we decided to write a small JNI
function that wrapped some C code that used the MIT krb5 API to
do this properly. It's much messier to integrate into Openfire
though. A colleague of mine suggested that we should plan to
replace this with Java code that used lower level interfaces, eg.
http://www.docjar.com/docs/api/sun/security/krb5/internal/package-index.html
but that looks like a bunch of work and we're a bit lacking in
programmers motivated to write Java :-)
It'd be nice if there was a Java version of the MIT krb5 API or
a more capable version of JAAS.
--Shumon.
More information about the Kerberos
mailing list