[Dovecot] Enhanced Kerberos support

Jelmer Vernooij jelmer at samba.org
Mon Nov 26 16:38:26 EET 2007 

Hi Timo, Richard,

On Mon, 2007-11-26 at 15:54 +0200, Timo Sirainen wrote:
> On Tue, 2007-11-13 at 14:16 -0800, Richard A Nelson wrote:
> > SSH recently added this enhancement to address this common need:
> > 
> >       GSSAPIStrictAcceptorCheck
> >               Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
> >               against. If “yes” then the client must authenticate against the host service on the current hostname.
> >               If “no” then the client may authenticate against any service key stored in the machine’s default
> >               store. This facility is provided to assist with operation on multi homed machines.  The default is
> >               “yes”.  Note that this option applies only to protocol version 2 GSSAPI connections, and setting it
> >               to “no” may only work with recent Kerberos GSSAPI libraries.
> Somehow this doesn't sound a very good idea.
I'm a bit curious as to why you would want to be strict about this - is
this serving multiple realms?

> > I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the
> > interface that the request came in on.
> I guess this would mean a PTR DNS lookup for the local IP? I've wanted
> to avoid DNS lookups in Dovecot so far, but proxying would also want to
> use them..
Perhaps we can just do this in case the option equivalent to
GSSAPIStrictAcceptorCheck is enabled or perhaps some other option to
enable gssapi multi-homing?

> I guess blocking DNS lookups for local IPs should be pretty safe and
> fast. Perhaps a new %D variable modifier, so you could do
> auth_gssapi_hostname = %Dl. Since these shouldn't be used for remote
> lookups, Dovecot could also cache them (with upper limit 100 or
> something).
Yeah, that would make sense I think.

Cheers,

Jelmer
-- 
Jelmer Vernooij <jelmer at samba.org> - http://samba.org/~jelmer/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20071126/64d05784/attachment-0001.bin

More information about the dovecot mailing list