Folks,
In debugging why my GSSAPI authenticator (cyrus_sasl driver) had stopped
working, I made a number of fixes, which are on the sasl_fixes branch.
Does anyone fancy giving them a look over for sanity?
$tls_bits is a new variable; that's fed into
sasl_setprop(..,SASL_SSF_EXTERNAL, ...) for the Exim-as-server case.
Should probably be done for the client too.
In the end, my problems are caused by Heimdal; I've sent mail to
heimdal-discuss@:
http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/6701
(I noticed this in Heimdal 1.4, not sure when the problem was
introduced).
In short: KRB5_KTNAME is no longer honoured for processes that have had
security boundary transitions, such as Exim. So using a different
keytab is impossible at present, thus the client library falls back to
trying to get "host/$system_primary_hostname" credentials from the KDC.
Once I figure out, or am told, the API to use to override the keytab in
source, I'll add a HEIMDAL build-option to Exim and add the knobs to let
that be set. This means bypassing the cyrus-sasl abstraction layer, but
we don't appear to have a choice.
If there's anyone using MIT's Kerberos implementation reading: is there
an API call needed to override the keytab there too?
--
https://twitter.com/syscomet
