Re: Kerberos support in standard services

[sxw@dcs.ed.ac.uk]

On Thu, 7 Jul 2005, Brian May wrote:

> On this mailing list people have said
>  * cryus imap and pop support SASL.
>  * evolution supports GSSAPI (hopefully via SASL?)

The University of Washington imapd supports GSSAPI over SASL, as does 
'pine'.

One of the things I've been thinking about for a while is setting up a web 
site about Kerberized protocols - listing protocols, and the options for 
Kerberos compatible clients and servers. It's one of the things that 
continually troubles us when deploying new services. Maybe I should get 
along and do this.

> Once-upon-a-time there was an Apache module for Kerberos
> authentication. It seemed a bit pointless at the time, because no
> clients supported it. Also SASL would be better... What is the current
> status of this module. Does it still exist?

Possibly not the module you're thinking of (there were a number of 
mod_auth_kerb auth modules that just took the user's password and slung it 
at the KDC - not really real Kerberos). But there is now code to support 
Microsoft's HTTP-Negotiate mechanism (GSSAPI/SPNEGO/Kerberos HTTP 
authentication) as an Apache module. HTTP-Negotiate is also supported in 
recent Mozilla and Firefox builds.

> Also SASL would be better... What is the current
> status of this module. Does it still exist?

I don't think you could do general-purpose SASL over HTTP, as it requires 
multiple 'rounds' from the underlying transport. HTTP, being stateless, 
just gives you one shot.

Cheers,

Simon.