Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

SASL changes: branch sasl_fixes

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


pdp at exim

Feb 3, 2012, 11:39 PM

Post #1 of 1 (219 views)
Permalink
SASL changes: branch sasl_fixes

Folks,

In debugging why my GSSAPI authenticator (cyrus_sasl driver) had stopped
working, I made a number of fixes, which are on the sasl_fixes branch.
Does anyone fancy giving them a look over for sanity?

$tls_bits is a new variable; that's fed into
sasl_setprop(..,SASL_SSF_EXTERNAL, ...) for the Exim-as-server case.
Should probably be done for the client too.

In the end, my problems are caused by Heimdal; I've sent mail to
heimdal-discuss@:
http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/6701

(I noticed this in Heimdal 1.4, not sure when the problem was
introduced).

In short: KRB5_KTNAME is no longer honoured for processes that have had
security boundary transitions, such as Exim. So using a different
keytab is impossible at present, thus the client library falls back to
trying to get "host/$system_primary_hostname" credentials from the KDC.

Once I figure out, or am told, the API to use to override the keytab in
source, I'll add a HEIMDAL build-option to Exim and add the knobs to let
that be set. This means bypassing the cyrus-sasl abstraction layer, but
we don't appear to have a choice.

If there's anyone using MIT's Kerberos implementation reading: is there
an API call needed to override the keytab there too?
--
https://twitter.com/syscomet

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.