[24644] in Kerberos
Re: Kerberos support in Thunderbird
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 14 19:10:34 2005
To: jalex@cis.upenn.edu (Jim Alexander)
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 14 Sep 2005 19:09:49 -0400
In-Reply-To: <dg4u8j$ek07$1@netnews.upenn.edu> (Jim Alexander's message of
"Mon, 12 Sep 2005 22:08:19 +0000 (UTC)")
Message-ID: <tslr7br8cw2.fsf@cz.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
>>>>> "Jim" == Jim Alexander <jalex@cis.upenn.edu> writes:
Jim> In article <43259153.6060500@sxw.org.uk>,
Jim> Simon Wilkinson <simon@sxw.org.uk> wrote:
Jim> ]At the moment, if the 'Use Secure Authentication' option is
Jim> set for a ]given protocol, the server at the other end offers
Jim> GSSAPI as one of its ]supported SASL mechanisms, and the
Jim> first call to init_secure_context for ]that server succeeds,
Jim> we'll try to do GSSAPI auth against that server. ]If GSSAPI
Jim> fails, then we'll fall back to trying a different
Jim> ]authentication scheme.
Jim> This isn't a correct implementation, then. IMAP "secure
Jim> authentication" is supposed to enable non-cleartext
Jim> authentication when lower-level encryption isn't
Jim> available. It makes no sense to have this enabled to enable
Jim> kerberos auth. You need to be able to separately specify
Jim> that you want kerberos authentication, on a per-account
Jim> basis, without the "Use Secure Authentication" option
Jim> enabled. Since our server does not support secure
Jim> authentication, your implementation does the following right
Jim> now:
sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
definition of IMAP secure authentication.
Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
Jim> a "your server does not support secure authentication"
Jim> dialog. My key manager never prompts me to obtain a ticket.
On Mac and Windows this is not at all what I'd expect. I'd expect you
to be prompted to get tickets.
--Sam
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos