[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos support in standard services
Note: I changed the subject
>>>>> "Andrew" == Andrew Bartlett <abartlet@samba.org> writes:
Andrew> SASL covers most of this problem, and as I understand it,
Andrew> it is a far more standard solution than kpop. I don't
Andrew> know if the mail clients and server use the sign/seal end
Andrew> or just the authentication, but I certainly see GSSAPI as
Andrew> a supported password type for evolution.
I think most servers and clients don't support SASL yet.
On this mailing list people have said
* cryus imap and pop support SASL.
* evolution supports GSSAPI (hopefully via SASL?)
I am not sure if this support is in the Debian package though, I
can't see SASL in the depends for the packages. Still it is good that
upstream support it.
Personally, I use mutt, Gnus, imp (web based), and courier-*, I don't
think any support SASL. Then again, Gnus doesn't support SSL properly
either[1].
Once-upon-a-time there was an Apache module for Kerberos
authentication. It seemed a bit pointless at the time, because no
clients supported it. Also SASL would be better... What is the current
status of this module. Does it still exist?
Notes:
[1] Gnus blindly calls the "openssl s_client", and no concept of
displaying messages to the user if there is a problem with the server
certificate. So, yes, it does support SSL, but it hardly works to
prevent man-in-the-middle attacks. At least it was like this last I
tested it, I don't think anything has changed.
--
Brian May <bam@snoopy.apana.org.au>