Kerberos support in Thunderbird

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Kerberos support in Thunderbird

Simon Wilkinson
The Thunderbird beta (1.5b1) that was released yesterday contains new
support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
servers.

It would be really good to get some test coverage against different
servers, and in different environments. I originally wrote and tested
the code against the U-W IMAP server - it's also been tested against
various servers using Cyrus SASL for their GSSAPI support.

The beta can be downloaded from
http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html

Cheers,

Simon.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Markus Moeller
Does the Unix version work with Heimdal, MIT and others ?

Thanks
Markus

"Simon Wilkinson" <[hidden email]> wrote in message
news:[hidden email]...

> The Thunderbird beta (1.5b1) that was released yesterday contains new
> support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
> servers.
>
> It would be really good to get some test coverage against different
> servers, and in different environments. I originally wrote and tested
> the code against the U-W IMAP server - it's also been tested against
> various servers using Cyrus SASL for their GSSAPI support.
>
> The beta can be downloaded from
> http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
>
> Cheers,
>
> Simon.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jim Alexander
In reply to this post by Simon Wilkinson
In article <[hidden email]>,
Simon Wilkinson <[hidden email]> wrote:
]The Thunderbird beta (1.5b1) that was released yesterday contains new
]support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
]servers.
]
]It would be really good to get some test coverage against different
]servers, and in different environments. I originally wrote and tested
]the code against the U-W IMAP server - it's also been tested against
]various servers using Cyrus SASL for their GSSAPI support.
]
]The beta can be downloaded from
]http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html

I'd love to try this out, but I cannot find information on how to
make GSSAPI the default auth for IMAP and SMTP. There's nothing in
the GUI, nor anything obvious in about:config. I assume there's a
hidden pref, but googling and searching the relevant bugs in bugzilla
for it has come up empty. Is this documented anywhere?

(As a side note, it seems pretty odd to trumpet "Kerberos Authentication"
as one of big new features of 1.5 when there's no obvious way of activating
it!)

--

________ Jim Alexander __________________ [hidden email] ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Markus Moeller
In reply to this post by Simon Wilkinson
Simon,

is there also somewhere a documentation of how to enable it ? I didn't see
any option when setting up an account nor for an outgoing smtp server.

Thank you
Markus


"Simon Wilkinson" <[hidden email]> wrote in message
news:[hidden email]...

> The Thunderbird beta (1.5b1) that was released yesterday contains new
> support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
> servers.
>
> It would be really good to get some test coverage against different
> servers, and in different environments. I originally wrote and tested
> the code against the U-W IMAP server - it's also been tested against
> various servers using Cyrus SASL for their GSSAPI support.
>
> The beta can be downloaded from
> http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
>
> Cheers,
>
> Simon.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Mark Sirota
--On Sunday, September 11, 2005 6:27 PM +0100 Markus Moeller
<[hidden email]> wrote:
> is there also somewhere a documentation of how to enable it ? I didn't
> see any option when setting up an account nor for an outgoing smtp
> server.

Make sure "Use Secure Authentication" is checked in the "Security
Settings" tab for IMAP and POP (the "Never" radio button for secure
connection works just fine). Nothing special needs to be done for SMTP
(if Kerberos tokens exist, SMTP will take advantage of the credentials if
possible).

For Windows, a special pref needs to be set to get MIT's Kerberos
For Windows (and it's GSSAPI library) used instead of Microsoft's
sspi.

This line:

user_pref("network.auth.use-sspi", false);

Needs to be put into a user's "prefs.js" in their user profile dir,
or use options | advanced | config to change the pref.

Mark
--
Mark Sirota, Associate Director, Network Engineering and Services
University of Pennsylvania, Information Systems and Computing
[hidden email], 215/573-7214
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jeffrey Altman-3
Mark Sirota wrote:
> Make sure "Use Secure Authentication" is checked in the "Security
> Settings" tab for IMAP and POP (the "Never" radio button for secure
> connection works just fine). Nothing special needs to be done for SMTP
> (if Kerberos tokens exist, SMTP will take advantage of the credentials if
> possible).

Mark:

For e-mail, I believe that you really want the ability to specify
in the account setup the Kerberos principal name that should be used
for the client.

On Mac OS X and with KFW on Windows, you may also want to specify the
name of the ccache to use.

On Mac OS X and KFW, the Kerberos libraries will prompt the user for
credentials if there are not any.

What test is Thunderbird using to determine whether or not GSSAPI
authentication should be negotiated for a given account?

> For Windows, a special pref needs to be set to get MIT's Kerberos
> For Windows (and it's GSSAPI library) used instead of Microsoft's
> sspi.
>
> This line:
>
> user_pref("network.auth.use-sspi", false);
>
> Needs to be put into a user's "prefs.js" in their user profile dir,
> or use options | advanced | config to change the pref.

Jeffrey Altman


--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Simon Wilkinson
Jeffrey Altman wrote:
> For e-mail, I believe that you really want the ability to specify
> in the account setup the Kerberos principal name that should be used
> for the client.

There's not much intelligence in the code at the moment - it will use
whatever the default principal in the current credentials cache is. To
give some background - I implemented the SASL/GSSAPI support on top of
the existing GSSAPI support that's used for NegotiateAuth in Firebird.
Some things (like disabling the credentials prompting support under Mac
OS X), come from the heritage of this underlying module.

> On Mac OS X and with KFW on Windows, you may also want to specify the
> name of the ccache to use.

How do you do this from within the GSSAPI?

> What test is Thunderbird using to determine whether or not GSSAPI
> authentication should be negotiated for a given account?

At the moment, if the 'Use Secure Authentication' option is set for a
given protocol, the server at the other end offers GSSAPI as one of its
supported SASL mechanisms, and the first call to init_secure_context for
that server succeeds, we'll try to do GSSAPI auth against that server.
If GSSAPI fails, then we'll fall back to trying a different
authentication scheme.

Cheers,

Simon.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jeffrey Altman-3
Simon Wilkinson wrote:

>>On Mac OS X and with KFW on Windows, you may also want to specify the
>>name of the ccache to use.
>
>
> How do you do this from within the GSSAPI?

At the moment, via the KRB5CCNAME environment variable.
(Yes, I know, its not thread safe to do so)

>>What test is Thunderbird using to determine whether or not GSSAPI
>>authentication should be negotiated for a given account?
>
>
> At the moment, if the 'Use Secure Authentication' option is set for a
> given protocol, the server at the other end offers GSSAPI as one of its
> supported SASL mechanisms, and the first call to init_secure_context for
> that server succeeds, we'll try to do GSSAPI auth against that server.
> If GSSAPI fails, then we'll fall back to trying a different
> authentication scheme.

This can end up causing some problems for end users.  It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because the principal used is not the one which has authorization for
accessing the mailbox.

At the very least I think that users need to have the ability to
disable the use of GSSAPI on a per mailbox basis until such time as
we have better client principal selection algorithms in place.

Jeffrey Altman


--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jeffrey Hutzelman
On Monday, September 12, 2005 15:13:27 +0000 Jeffrey Altman
<[hidden email]> wrote:

> This can end up causing some problems for end users.  It is entirely
> possible for the GSSAPI authentication to succeed and yet the user
> will be unable to access the mailbox they are attempting to reach
> because the principal used is not the one which has authorization for
> accessing the mailbox.

And yet, it is what nearly every Kerberized application in existance does,
and it seems to work reasonably well.  I realize that you would like to see
a better UI for client credential selection, but today, this is the best
current practice.

That said, most mail software I've seen does allow the user to specify the
authentication mechanism to use on a per-account basis.  That would seem to
be appropriate here, as well.

-- Jeff
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Ken Hornstein
In reply to this post by Simon Wilkinson
>The Thunderbird beta (1.5b1) that was released yesterday contains new
>support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
>servers.
>
>It would be really good to get some test coverage against different
>servers, and in different environments. I originally wrote and tested
>the code against the U-W IMAP server - it's also been tested against
>various servers using Cyrus SASL for their GSSAPI support.

Works like a champ out of the box against our POP server (a version of
qpopper that uses Cyrus SASL) and our SMTP server (sendmail).  It
doesn't do security layers, unfortunately, but you already knew that :-/
Nevertheless, I'm buying a round next time we're in a pub together!

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jim Alexander
In reply to this post by Simon Wilkinson
In article <[hidden email]>,
Simon Wilkinson <[hidden email]> wrote:
]At the moment, if the 'Use Secure Authentication' option is set for a
]given protocol, the server at the other end offers GSSAPI as one of its
]supported SASL mechanisms, and the first call to init_secure_context for
]that server succeeds, we'll try to do GSSAPI auth against that server.
]If GSSAPI fails, then we'll fall back to trying a different
]authentication scheme.

This isn't a correct implementation, then. IMAP "secure authentication" is
supposed to enable non-cleartext authentication when lower-level encryption
isn't available. It makes no sense to have this enabled to enable
kerberos auth.  You need to be able to separately specify that you want
kerberos authentication, on a per-account basis, without the "Use Secure
Authentication" option enabled. Since our server does not support secure
authentication, your implementation does the following right now:

(a) If I already have a kerberos ticket in my cache, I get my mail as
    expected.

(b) If my ticket cache is empty, Thunderbird correctly posts a "your server
    does not support secure authentication" dialog. My key manager never
    prompts me to obtain a ticket.

You also need to be able to explicitly select (or deselect) kerberos auth
because the server has a preferential list of authentication methods that
may not match the client's needs. I want to force kerberos auth, and others
may want to do, say, CRAM-MD5, if available, even if kerberos is preferred.

Finally, whatever method is being used to offer kerberos authentication for
SMTP completely doesn't work for me, either, regardless of whether I have
tickets in my cache or not. I get a "relaying denied" error, so GSSAPI auth
is clearly not working, even though the server very clearly offers it, and
indeed it works fine with Apple's Mail and Mulberry.  Can someone say
more about how the SMTP code decides to use GSSAPI or not? I bet this
is another case where you need to be able to explicitly select your
authentication method for each server, just like with IMAP. Every other
mail client I've used does it that way.

--

________ Jim Alexander __________________ [hidden email] ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Markus Moeller
In reply to this post by Ken Hornstein
I got it now also working on SLES9 with SMTP and IMAP against a w2k3 kdc,
although a sendmail buffer needed to be increased to accept the very long
AUTH line because of the PAC field.

Thanks
Markus

"Ken Hornstein" <[hidden email]> wrote in message
news:[hidden email]...

> >The Thunderbird beta (1.5b1) that was released yesterday contains new
>>support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
>>servers.
>>
>>It would be really good to get some test coverage against different
>>servers, and in different environments. I originally wrote and tested
>>the code against the U-W IMAP server - it's also been tested against
>>various servers using Cyrus SASL for their GSSAPI support.
>
> Works like a champ out of the box against our POP server (a version of
> qpopper that uses Cyrus SASL) and our SMTP server (sendmail).  It
> doesn't do security layers, unfortunately, but you already knew that :-/
> Nevertheless, I'm buying a round next time we're in a pub together!
>
> --Ken
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jim Alexander
In reply to this post by Jim Alexander
I meant to also add that I think it is generally considered bad form to
silently fall back to a weaker security mechanism when a stronger on
fails. I want to be able to configure my mail client to use GSSAPI,
and if it fails, I want to be told that it failed, not fall back
and perhaps successfully authenticate using CRAM-MD5, leaving me without
a clue that my chosen auth method is not working.

As a side note, should we be opening new bugs in bugzilla for this, or
maybe reopen bug 303160? Or is hashing it out here completely sufficient
for now?


--

________ Jim Alexander __________________ [hidden email] ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

hartmans
In reply to this post by Jeffrey Hutzelman
>>>>> "Jeffrey" == Jeffrey Hutzelman <[hidden email]> writes:

    Jeffrey> On Monday, September 12, 2005 15:13:27 +0000 Jeffrey
    Jeffrey> Altman
    Jeffrey> <[hidden email]> wrote:

    >> This can end up causing some problems for end users.  It is
    >> entirely possible for the GSSAPI authentication to succeed and
    >> yet the user will be unable to access the mailbox they are
    >> attempting to reach because the principal used is not the one
    >> which has authorization for accessing the mailbox.

    Jeffrey> And yet, it is what nearly every Kerberized application
    Jeffrey> in existance does, and it seems to work reasonably well.
    Jeffrey> I realize that you would like to see a better UI for
    Jeffrey> client credential selection, but today, this is the best
    Jeffrey> current practice.

I actually have to agree with Jeff Hutzelman here.  I think you
definitely want the default behavior to be what Thunderbird is doing
now: use the default principal and do gss if the server offers it.


--Sam

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

hartmans
In reply to this post by Jim Alexander
>>>>> "Jim" == Jim Alexander <[hidden email]> writes:

    Jim> In article <[hidden email]>,
    Jim> Simon Wilkinson <[hidden email]> wrote:
    Jim> ]At the moment, if the 'Use Secure Authentication' option is
    Jim> set for a ]given protocol, the server at the other end offers
    Jim> GSSAPI as one of its ]supported SASL mechanisms, and the
    Jim> first call to init_secure_context for ]that server succeeds,
    Jim> we'll try to do GSSAPI auth against that server.  ]If GSSAPI
    Jim> fails, then we'll fall back to trying a different
    Jim> ]authentication scheme.

    Jim> This isn't a correct implementation, then. IMAP "secure
    Jim> authentication" is supposed to enable non-cleartext
    Jim> authentication when lower-level encryption isn't
    Jim> available. It makes no sense to have this enabled to enable
    Jim> kerberos auth.  You need to be able to separately specify
    Jim> that you want kerberos authentication, on a per-account
    Jim> basis, without the "Use Secure Authentication" option
    Jim> enabled. Since our server does not support secure
    Jim> authentication, your implementation does the following right
    Jim> now:

sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
definition of IMAP secure authentication.

    Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
    Jim> a "your server does not support secure authentication"
    Jim> dialog. My key manager never prompts me to obtain a ticket.

On Mac and Windows this is not at all what I'd expect.  I'd expect you
to be prompted to get tickets.

--Sam

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

hartmans
In reply to this post by Jim Alexander
>>>>> "Jim" == Jim Alexander <[hidden email]> writes:

    Jim> I meant to also add that I think it is generally considered
    Jim> bad form to silently fall back to a weaker security mechanism
    Jim> when a stronger on fails. I want to be able to configure my
    Jim> mail client to use GSSAPI, and if it fails, I want to be told
    Jim> that it failed, not fall back and perhaps successfully
    Jim> authenticate using CRAM-MD5, leaving me without a clue that
    Jim> my chosen auth method is not working.


I agree having this option is nice.  However I also think it is
important to have a usable default behavior.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jim Alexander
In reply to this post by hartmans
In article <[hidden email]>, Sam Hartman <[hidden email]> wrote:
]
]sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
]definition of IMAP secure authentication.

Yes, I wasn't at all clear what I meant there. I was not referring to the
general definition of "secure authentication," which GSSAPI certainly
falls into. I meant the "secure authentication" preference that appears
in other popular mailers - this usually means something like NTLM or
CRAM-MD5. I think it's current usage in Thunderbird is confusing.

In any case, as I said in other posts, I think that the user needs to
be given a way to explicitly specify the desired authentication mechanism,
and needs to be told when their auth of choice has failed, not just
autonegotiate down an auth chain in an undocumented order.

]    Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
]    Jim> a "your server does not support secure authentication"
]    Jim> dialog. My key manager never prompts me to obtain a ticket.
]
]On Mac and Windows this is not at all what I'd expect.  I'd expect you
]to be prompted to get tickets.

Exactly, but instead Thunderbird just gives up and falls back to something
else, and it's totally unclear to the user what went wrong.

--

________ Jim Alexander __________________ [hidden email] ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Andreas Hasenack
In reply to this post by Jim Alexander
On Mon, Sep 12, 2005 at 10:43:42PM +0000, Jim Alexander wrote:
> I meant to also add that I think it is generally considered bad form to
> silently fall back to a weaker security mechanism when a stronger on
> fails. I want to be able to configure my mail client to use GSSAPI,
> and if it fails, I want to be told that it failed, not fall back
> and perhaps successfully authenticate using CRAM-MD5, leaving me without
> a clue that my chosen auth method is not working.

I agree with that. I also think something more specific than "secure
password authentication" is needed.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Simon Wilkinson
In reply to this post by hartmans
Sam Hartman wrote:
>     Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
>     Jim> a "your server does not support secure authentication"
>     Jim> dialog. My key manager never prompts me to obtain a ticket.
>
> On Mac and Windows this is not at all what I'd expect.  I'd expect you
> to be prompted to get tickets.

I'm not sure why you're not being prompted under Windows (perhaps you're
configured to use SSPI, rather than Kerberos for Windows?). On the Mac,
the ticket prompter is specifically disabled. This is because of the
GSSAPI support code's original role in supporting Firefox's
NegotiateAuth implementation - fixing this in some way is bug #307788 @
bugzilla.mozilla.org

Simon.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos support in Thunderbird

Jeffrey Altman-3
Simon Wilkinson wrote:

> I'm not sure why you're not being prompted under Windows (perhaps you're
> configured to use SSPI, rather than Kerberos for Windows?). On the Mac,
> the ticket prompter is specifically disabled. This is because of the
> GSSAPI support code's original role in supporting Firefox's
> NegotiateAuth implementation - fixing this in some way is bug #307788 @
> bugzilla.mozilla.org
>
> Simon.

I can confirm that prompting works on Windows with MIT KFW 3.0
and the appropriate settings entered into about:config.

Jeffrey Altman

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
12