XMPP & Kerberos 5
Russ Allbery
rra at stanford.edu
Mon Nov 30 16:03:51 EST 2009
Edward Murrell <edward at murrell.co.nz> writes:
> GSSAPI and plain text logins work off the same password. As Russ
> Allberry pointed out in the other sub thread, this is not the best
> policy, so all the non-SSL channels, XMPP or otherwise, are disabled.
We were very pleasantly surprised at how universal both GSSAPI and TLS
support are in current XMPP clients. We were expecting requiring one or
the other to be a big hassle, but we require both and haven't had many
serious problems.
http://im.stanford.edu/ has our user documentation, in case anyone finds
it useful. We're running OpenFire as the server. (It has some serious
issues and I'd rather run something else, but the GSSAPI support at least
is fairly good. Even if it gets horribly confused by unqualified
principal names in places and then starts throwing Java exceptions.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list