[Wocky] New Gaim client patches

Greg Hudson ghudson at MIT.EDU
Mon Nov 28 17:39:58 EST 2005 

I've reviewed and tested Simon's new patches.  They take a very
different approach from the previous set of patches he sent.  Instead
of integrating all authentication through the Cyrus SASL library, he
implements just the GSSAPI mechanism, which turns out not to be very
much code.  Rather than link the Jabber plugin against the krb5 gssapi
libraries, his code attempts to dynamically load the gssapi library at
runtime.

I identified the following issues:

  * Although his approach is fairly slick in terms of deployability,
    I'm not sure it has any hope of passing muster for upstream
    integration.  In particular, his code contains a copy of the krb5
    gssapi.h header file, hacked up so that it can declare typedefs
    instead of functions.

  * His initialization function calls g_module_open("gssapi32", ...)
    which is clearly targeted for Windows.  I had to hack that to
    "/usr/athena/lib/libgssapi_krb5" for my test build to make it
    work.

  * His code doesn't return any useful information on errors; it just
    says there's been an authentication error.  I hacked up a function
    to at least log the GSSAPI errors via gaim_debug.

  * He uses the user's JID domain, not the connect server hostname,
    for the GSSAPI domain, which results in the client trying to use
    xmpp/web.mit.edu at ATHENA.MIT.EDU as the service principal (since
    mit.edu canonicalizes to web.mit.edu).  I hacked it to use
    "jabber.mit.edu" for my test build, since the connect server
    hostname isn't easily available in that part of the code.

  * His patch flags the Jabber protocol plugin as having optional
    passwords, so that Jabber accounts can be auto-logged in.  As a
    result, if Kerberos authentication doesn't succeed on an
    auto-login attempt, password authentication also fails, rather
    than prompting the user for a password.  I haven't checked against
    other protocol plugins to see if the gaim code has a way of
    handling this.

I plan to consult with Paul at tomorrow's SDIT meeting to decide how
to proceed.  I've put up the sources and a Linux build at
/afs/dev.mit.edu/project/jabber/gaim-krb5-hack in case people want to
play with it.

More information about the Wocky mailing list