[Dovecot] Enhanced Kerberos support
Timo Sirainen
tss at iki.fi
Mon Nov 26 15:54:59 EET 2007
On Tue, 2007-11-13 at 14:16 -0800, Richard A Nelson wrote:
> The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed
> for multi-homed (or multi-domained) sites.
I haven't implemented Dovecot's GSSAPI code and my GSSAPI/Kerberos
knowledge is pretty limited. I guess some day I should find out more
about it. So, Cc'd Jelmer in case he has some comments/ideas.
> SSH recently added this enhancement to address this common need:
>
> GSSAPIStrictAcceptorCheck
> Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
> against. If “yes” then the client must authenticate against the host service on the current hostname.
> If “no” then the client may authenticate against any service key stored in the machine’s default
> store. This facility is provided to assist with operation on multi homed machines. The default is
> “yes”. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it
> to “no” may only work with recent Kerberos GSSAPI libraries.
Somehow this doesn't sound a very good idea.
> I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the
> interface that the request came in on.
I guess this would mean a PTR DNS lookup for the local IP? I've wanted
to avoid DNS lookups in Dovecot so far, but proxying would also want to
use them..
I guess blocking DNS lookups for local IPs should be pretty safe and
fast. Perhaps a new %D variable modifier, so you could do
auth_gssapi_hostname = %Dl. Since these shouldn't be used for remote
lookups, Dovecot could also cache them (with upper limit 100 or
something).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20071126/50f2bbf5/attachment.bin
More information about the dovecot
mailing list