[Wocky] New Gaim client patches
Greg Hudson
ghudson at MIT.EDU
Mon Nov 28 17:39:58 EST 2005
I've reviewed and tested Simon's new patches. They take a very
different approach from the previous set of patches he sent. Instead
of integrating all authentication through the Cyrus SASL library, he
implements just the GSSAPI mechanism, which turns out not to be very
much code. Rather than link the Jabber plugin against the krb5 gssapi
libraries, his code attempts to dynamically load the gssapi library at
runtime.
I identified the following issues:
* Although his approach is fairly slick in terms of deployability,
I'm not sure it has any hope of passing muster for upstream
integration. In particular, his code contains a copy of the krb5
gssapi.h header file, hacked up so that it can declare typedefs
instead of functions.
* His initialization function calls g_module_open("gssapi32", ...)
which is clearly targeted for Windows. I had to hack that to
"/usr/athena/lib/libgssapi_krb5" for my test build to make it
work.
* His code doesn't return any useful information on errors; it just
says there's been an authentication error. I hacked up a function
to at least log the GSSAPI errors via gaim_debug.
* He uses the user's JID domain, not the connect server hostname,
for the GSSAPI domain, which results in the client trying to use
xmpp/web.mit.edu at ATHENA.MIT.EDU as the service principal (since
mit.edu canonicalizes to web.mit.edu). I hacked it to use
"jabber.mit.edu" for my test build, since the connect server
hostname isn't easily available in that part of the code.
* His patch flags the Jabber protocol plugin as having optional
passwords, so that Jabber accounts can be auto-logged in. As a
result, if Kerberos authentication doesn't succeed on an
auto-login attempt, password authentication also fails, rather
than prompting the user for a password. I haven't checked against
other protocol plugins to see if the gaim code has a way of
handling this.
I plan to consult with Paul at tomorrow's SDIT meeting to decide how
to proceed. I've put up the sources and a Linux build at
/afs/dev.mit.edu/project/jabber/gaim-krb5-hack in case people want to
play with it.
More information about the Wocky
mailing list