RE: Kerberos Digest, Vol 33, Issue 10

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos Digest, Vol 33, Issue 10

barf
Please can you tell what jar file the following class is in
com.sun.security.auth.module.Krb5LoginModule

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: 12 September 2005 17:02
To: [hidden email]
Subject: Kerberos Digest, Vol 33, Issue 10

Send Kerberos mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   1. Re: Kerberos support in Thunderbird (Markus Moeller)
   2. Re: Kerberos support in Thunderbird (Mark Sirota)
   3. Re: Kerberos support in Thunderbird (Jim Alexander)
   4. Key size is incompatible (Ryan Olejnik)
   5. Re: Kerberos support in Thunderbird (Jeffrey Altman)
   6. Re: Kerberos support in Thunderbird (Simon Wilkinson)
   7. Re: Kerberos support in Thunderbird (Jeffrey Altman)


----------------------------------------------------------------------

Date: Sun, 11 Sep 2005 18:27:26 +0100
From: "Markus Moeller" <[hidden email]>
To: [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <dg1pba$dbf$[hidden email]>
References: <[hidden email]>
Precedence: list
Message: 1

Simon,

is there also somewhere a documentation of how to enable it ? I didn't see
any option when setting up an account nor for an outgoing smtp server.

Thank you
Markus


"Simon Wilkinson" <[hidden email]> wrote in message
news:[hidden email]...

> The Thunderbird beta (1.5b1) that was released yesterday contains new
> support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
> servers.
>
> It would be really good to get some test coverage against different
> servers, and in different environments. I originally wrote and tested
> the code against the U-W IMAP server - it's also been tested against
> various servers using Cyrus SASL for their GSSAPI support.
>
> The beta can be downloaded from
> http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
>
> Cheers,
>
> Simon.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



------------------------------

Date: Sun, 11 Sep 2005 19:28:13 -0400
From: Mark Sirota <[hidden email]>
To: Markus Moeller <[hidden email]>, [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <E4B250338BC5DF116CC6C312@[10.0.1.2]>
In-Reply-To: <dg1pba$dbf$[hidden email]>
References: <[hidden email]> <dg1pba$dbf$[hidden email]>
Content-Type: text/plain; charset=us-ascii; format=flowed
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Message: 2

--On Sunday, September 11, 2005 6:27 PM +0100 Markus Moeller
<[hidden email]> wrote:
> is there also somewhere a documentation of how to enable it ? I didn't
> see any option when setting up an account nor for an outgoing smtp
> server.

Make sure "Use Secure Authentication" is checked in the "Security
Settings" tab for IMAP and POP (the "Never" radio button for secure
connection works just fine). Nothing special needs to be done for SMTP
(if Kerberos tokens exist, SMTP will take advantage of the credentials if
possible).

For Windows, a special pref needs to be set to get MIT's Kerberos
For Windows (and it's GSSAPI library) used instead of Microsoft's
sspi.

This line:

user_pref("network.auth.use-sspi", false);

Needs to be put into a user's "prefs.js" in their user profile dir,
or use options | advanced | config to change the pref.

Mark
--
Mark Sirota, Associate Director, Network Engineering and Services
University of Pennsylvania, Information Systems and Computing
[hidden email], 215/573-7214
------------------------------

Date: Sun, 11 Sep 2005 17:05:01 +0000 (UTC)
From: [hidden email] (Jim Alexander)
To: [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <dg1o3t$d21g$[hidden email]>
References: <[hidden email]>
Precedence: list
Message: 3

In article <[hidden email]>,
Simon Wilkinson <[hidden email]> wrote:
]The Thunderbird beta (1.5b1) that was released yesterday contains new
]support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
]servers.
]
]It would be really good to get some test coverage against different
]servers, and in different environments. I originally wrote and tested
]the code against the U-W IMAP server - it's also been tested against
]various servers using Cyrus SASL for their GSSAPI support.
]
]The beta can be downloaded from
]http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html

I'd love to try this out, but I cannot find information on how to
make GSSAPI the default auth for IMAP and SMTP. There's nothing in
the GUI, nor anything obvious in about:config. I assume there's a
hidden pref, but googling and searching the relevant bugs in bugzilla
for it has come up empty. Is this documented anywhere?

(As a side note, it seems pretty odd to trumpet "Kerberos Authentication"
as one of big new features of 1.5 when there's no obvious way of activating
it!)

--

________ Jim Alexander __________________ [hidden email]
________________
I have yet to see a problem, however complicated, which, when you looked at
it
in the right way, did not become still more complicated.      -- Poul
Anderson
------------------------------

Date: Sun, 11 Sep 2005 22:19:45 -0500
From: Ryan Olejnik <[hidden email]>
To: [hidden email]
Subject: Key size is incompatible
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Message: 4

hello,

does anyone know what might cause this problem:
kinit: krb5_get_init_creds: Key size is incompatible with encryption type

I am only running a master KDC, so that rules out a problem with the slave.

thanks,
ryan olejnik
------------------------------

Date: Mon, 12 Sep 2005 13:53:22 GMT
From: Jeffrey Altman <[hidden email]>
To: [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <mLfVe.31245$%[hidden email]>
References: <[hidden email]> <dg1pba$dbf$[hidden email]>
        <E4B250338BC5DF116CC6C312@[10.0.1.2]>
Precedence: list
Message: 5

Mark Sirota wrote:
> Make sure "Use Secure Authentication" is checked in the "Security
> Settings" tab for IMAP and POP (the "Never" radio button for secure
> connection works just fine). Nothing special needs to be done for SMTP
> (if Kerberos tokens exist, SMTP will take advantage of the credentials if
> possible).

Mark:

For e-mail, I believe that you really want the ability to specify
in the account setup the Kerberos principal name that should be used
for the client.

On Mac OS X and with KFW on Windows, you may also want to specify the
name of the ccache to use.

On Mac OS X and KFW, the Kerberos libraries will prompt the user for
credentials if there are not any.

What test is Thunderbird using to determine whether or not GSSAPI
authentication should be negotiated for a given account?

> For Windows, a special pref needs to be set to get MIT's Kerberos
> For Windows (and it's GSSAPI library) used instead of Microsoft's
> sspi.
>
> This line:
>
> user_pref("network.auth.use-sspi", false);
>
> Needs to be put into a user's "prefs.js" in their user profile dir,
> or use options | advanced | config to change the pref.

Jeffrey Altman


--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
------------------------------

Date: Mon, 12 Sep 2005 15:31:47 +0100
From: Simon Wilkinson <[hidden email]>
To: Jeffrey Altman <[hidden email]>
Cc: [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <[hidden email]>
In-Reply-To: <mLfVe.31245$%[hidden email]>
References: <[hidden email]> <dg1pba$dbf$[hidden email]>
        <E4B250338BC5DF116CC6C312@[10.0.1.2]>
        <mLfVe.31245$%[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Message: 6

Jeffrey Altman wrote:
> For e-mail, I believe that you really want the ability to specify
> in the account setup the Kerberos principal name that should be used
> for the client.

There's not much intelligence in the code at the moment - it will use
whatever the default principal in the current credentials cache is. To
give some background - I implemented the SASL/GSSAPI support on top of
the existing GSSAPI support that's used for NegotiateAuth in Firebird.
Some things (like disabling the credentials prompting support under Mac
OS X), come from the heritage of this underlying module.

> On Mac OS X and with KFW on Windows, you may also want to specify the
> name of the ccache to use.

How do you do this from within the GSSAPI?

> What test is Thunderbird using to determine whether or not GSSAPI
> authentication should be negotiated for a given account?

At the moment, if the 'Use Secure Authentication' option is set for a
given protocol, the server at the other end offers GSSAPI as one of its
supported SASL mechanisms, and the first call to init_secure_context for
that server succeeds, we'll try to do GSSAPI auth against that server.
If GSSAPI fails, then we'll fall back to trying a different
authentication scheme.

Cheers,

Simon.
------------------------------

Date: Mon, 12 Sep 2005 15:13:27 GMT
From: Jeffrey Altman <[hidden email]>
To: [hidden email]
Subject: Re: Kerberos support in Thunderbird
Message-ID: <rWgVe.31254$%[hidden email]>
References: <[hidden email]> <dg1pba$dbf$[hidden email]>
        <E4B250338BC5DF116CC6C312@[10.0.1.2]><[hidden email]>
Precedence: list
Message: 7

Simon Wilkinson wrote:

>>On Mac OS X and with KFW on Windows, you may also want to specify the
>>name of the ccache to use.
>
>
> How do you do this from within the GSSAPI?

At the moment, via the KRB5CCNAME environment variable.
(Yes, I know, its not thread safe to do so)

>>What test is Thunderbird using to determine whether or not GSSAPI
>>authentication should be negotiated for a given account?
>
>
> At the moment, if the 'Use Secure Authentication' option is set for a
> given protocol, the server at the other end offers GSSAPI as one of its
> supported SASL mechanisms, and the first call to init_secure_context for
> that server succeeds, we'll try to do GSSAPI auth against that server.
> If GSSAPI fails, then we'll fall back to trying a different
> authentication scheme.

This can end up causing some problems for end users.  It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because the principal used is not the one which has authorization for
accessing the mailbox.

At the very least I think that users need to have the ability to
disable the use of GSSAPI on a per mailbox basis until such time as
we have better client principal selection algorithms in place.

Jeffrey Altman


--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
------------------------------

_______________________________________________
Kerberos mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos


End of Kerberos Digest, Vol 33, Issue 10
****************************************
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos