[Wocky] Adium and GSSAPI

Ken Raeburn raeburn at MIT.EDU
Sun Jan 6 06:00:08 EST 2008


Okay, it looks like 1.2 has been released, and I didn't have time to  
get some fixes made and submitted.  So, here are my observations:

* By default, strict certificate checking is on for Jabber servers.   
It'll complain about mit.edu because it has a self-signed cert.   
There is an account option to disable the strict checking, but of  
course better would be to get server certificates signed by the MIT  
CA and get the MIT CA into people's trusted servers.

* If a "connect server" of jabber.mit.edu is specified for an mit.edu  
Jabber account, then GSSAPI authentication will fail.  Unfortunately,  
in this case, it doesn't fall back to password authentication.  So  
you need to remove the connect server, if you have one listed.  (Note  
that IS&T's current recommended settings for Adium include the  
connect server.)

* There's a bug in the old version of the OpenFire server running on  
jabber.mit.edu -- Greg knows the details -- which causes session  
establishment to fail even though GSSAPI authentication succeeded.   
Then, Adium falls back to password authentication, but for some  
reason it doesn't seem to be working for me.  I'm not sure if this is  
related to the OpenFire issue or something new.

* The Zephyr support has been compiled without Kerberos support, and  
is therefore useless; it cannot talk to the MIT servers.

So, my recommendation (unofficial, not endorsed by IS&T, caveat  
emptor, your mileage may vary, no lifeguard on duty, etc, etc) is:  
Don't even bother right now.

Ken



More information about the Wocky mailing list