[exim] Testing needed: heimdal_gssapi authenticator

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM 
MPhil Pennock at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev, exim-users
Subject: [exim] Testing needed: heimdal_gssapi authenticator
Adventurous folks already using Heimdal needed for testing git branch of
Exim. Docs not yet updated.

Per my mail of 2012-02-04, """Heimdal 1.4 put in some restrictions on
honouring a value of $KRB5_KTNAME inherited from the environment, which
means that at present there's no way to make Exim work with a
non-default keytab file."""

I've added a "heimdal_gssapi" authenticator, server-only. I've
developed and tested against Heimdal 1.4 on FreeBSD. 

 (1) Pull Exim git.
 (2) Switch to heimdal branch (git checkout heimdal)
 (3) Note that for historical reasons, "src/" in releases corresponds to
     "src/src/" in git, so cd down one level into the first src.
 (4) Edit your usual Local/Makefile to include:
       AUTH_HEIMDAL_GSSAPI=yes
       AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
 (4a) If you don't have pkg-config installed, ignore that second _PC
      option and instead add the needed -I/include/paths to CFLAGS and
      the library specs to AUTH_LIBS, as per usual
 (4b) If you do have pkg-config but heimdal's package has a different
      name, change the value of the define
 (5) Install as usual
 (6) Use driver "heimdal_gssapi", set option "server_keytab"; if
     switching from "cyrus_sasl" driver, remember to drop the
     "server_mech" option.
 (7) Make sure keytab is readable by Exim runtime user
 (8) Let me know how you get on!


I have: 

auth_gssapi:
  driver        = heimdal_gssapi
  public_name   = GSSAPI
  server_hostname = smtp.spodhuis.org
  server_realm  = SPODHUIS.ORG
  server_keytab = /etc/kerberos/tabs/exim.keytab
  server_set_id = $auth1


$auth1 is the server-verified GSSAPI Display Name; $auth2 is the
SASL-provided authorization identifier, which is not cryptographically
verified but is instead whatever the client chooses to ask for (as per
usual; so $auth1 authn, $auth2 is authzid).

Separately, anyone who wants to try AUTH_* and LOOKUP_* library
dependency management with pkg-config, both with and without .so dynamic
libraries, please do so. Take normal variable name, add "_PC", define
value as the name of the pkg-config specification to use. Let me know
of any problems. (This too is only on the heimdal branch).

Regards,
-Phil

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 1212] Individual recipients_max per sender host IPRe: [exim] [exim-dev] Testing needed: heimdal_gssapi authenticator->
Exim-users
Mailing List Info | Nearby Messages		<-[exim] How to catch stolen passwords and outgoing spam[exim] change subject with user filter->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)