Re: [exim] Smarthost with Kerberos Auth

Top Page
Delete this message
Reply to this message
Author: Andy Bennett
Date:  
To: exim-users
Subject: Re: [exim] Smarthost with Kerberos Auth
Hi,

>>> Neither at present. The correct fix is to expand the heimdal_gssapi
>>> authenticator to handle client-side authentication. This would be the
>>> simplest, with fewer layers of abstraction to manipulate, and is newer
>>> code (introduced with Exim 4.80).
>>
>> I'm running MIT Kerberos. Can heimdal_gssapi speak to that?
>
> Almost. Per:
>
> http://web.mit.edu/kerberos/krb5-1.3/README-1.3.1.txt
>
> if you have MIT Kerberos of at least version 1.3, then you have the
> functionality, but you'll need to change
> `gsskrb5_register_acceptor_identity()` in the Exim source
> (src/auths/heimdal_gssapi.c) to be
> `krb5_gss_register_acceptor_identity()` instead.
>
> I _think_ it's otherwise compatible. You might need to adjust include
> header paths too -- I simply don't know.
>
> If you see that working server-side, I can put some conditional
> compilation in to alias the name for MIT.


Given my configuration, it looks like I have some options.
I'm using MIT Kerberos so I'm not restricted by the KRB5_KTNAME issues
with setuid binaries. Also, after the table at

http://web.mit.edu/Kerberos/krb5-current/doc/mitK5defaults.html#paths

...it suggests that MIT Kerberos might do something useful at the point
that the client keytab is chosen. I don't know how that works in the
Debian build that I have tho'.

This may also be relevant:

http://web.mit.edu/kerberos/krb5-current/doc/basic/keytab_def.html


...so I could provide client support for the cyrus-sasl authenticator.
The issue of linkage to the appropriate Kerberos libraries is then a
problem for the system's Cyrus SASL installation. On Debian this is
handled through the optional installation of the following two modules:

http://packages.debian.org/squeeze/libsasl2-modules-gssapi-heimdal
http://packages.debian.org/squeeze/libsasl2-modules-gssapi-mit

This has the advantages that:
+ The exim build does not need to learn about conditional linkage
against Kerberos libraries.
This kind of linkage could represent packaging and distribution
challenges.

+ There is potential to use the cyrus-sasl authenticator in client mode
for more than just GSSAPI.
Exim could delegate other mechanisms to Cyrus.



The other option is to provide client support for the heimdal_gssapi
authenticator.

I found these threads:

http://kerberos.996246.n3.nabble.com/Exim-Heimdal-1-4-server-identity-lost-KRB5-KTNAME-redux-tt11607.html#none

http://kerberos.996246.n3.nabble.com/Patch-for-uid-based-default-keytabs-for-sasl-gssapi-slapd-ldap-td10925.html

The latter suggests that they are thinking about fixing (or have now
fixed) this in a similar way to the MIT Kerberos client keytab
documentation above. Therefore a patch to heimdal_gssapi may involve
long term code duplication and maintenance in exim.



Thoughts?





Regards,
@ndy

--
andyjpb@???
http://www.ashurst.eu.org/
0x7EBA75FF