[Dovecot] GSSAPI Cross-Realm Patch
Zachary Kotlarek
zach at kotlarek.com
Thu Oct 11 02:00:10 EEST 2007
I've written a GSSAPI cross-realm auth patch for people not lucky enough
to have the __gss_userok function, though it should apply pretty cleanly
with that patch in place as well.
The patch is available at:
http://zinux.cynicbytrade.com/svn/servers/dovecot/cross-realm.diff.bz2
It works for me on MIT-kerb, and I tested compilation against heimdal,
but I don't have a cross-realm setup to test functionality under heimdal
(though I also have no reason to think it wouldn't work).
Since neither MIT nor heimdal provide a gss_userok() function, I used
the krb5_userok() function. So if you're using a mechanism other than
krb5 this won't work. But it's the same thing that OpenSSH and the apps
distributed with heimdal do, so it seemed relatively safe.
I also choose to append the krb5_userok() check rather than replace the
gss_compare_name() check -- that way same-realm auth works for non-krb5
mechanisms, and my new code doesn't get called unless the same-realm
check fails. If you don't care about other mechanisms it would be faster
to bypass the gss_compare_name() check entirely.
If this is something you'd like to mainline I'd be happy to standardize
the coding style -- just point me to a style definition document. And if
it doesn't hit the mainline I expect to maintain it for the foreseeable
future, with updates at the same URL.
Zach
More information about the dovecot
mailing list