[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Timo Sirainen tss at iki.fi
Sat Jul 18 02:33:35 EEST 2009


On Wed, 2009-07-08 at 13:41 +0200, Michal Hlavinka wrote:
> > I guess this fixes it again:
> > http://hg.dovecot.org/dovecot-1.2/rev/f4ff64dd79a9
> 
> We've tested dovecot with all four available patches (it means up to date 
> mech-gssapi.c ) and it wokrs. 

I've been talking with the main Heimdal guy and he thinks that kind of
checking is scary bad.

One thing that should change at least is that gss_display_name()
shouldn't be passed to krb5_parse_name(). Instead gss_export_name()
should be used and its results checked and passed to krb5_parse_name()
(OpenSSH does this too). But I don't know if that would solve the
original problem that required me to add the patch mentioned above.

One thing I'm not really sure about in Kerberos is, does both MIT and
Heimdal require that you are using system users and to have NSS set up
in a way that Kerberos code can look up users with getpw*() functions? I
think that's the main thing that krb5_kuserok() does that
gss_compare_name() doesn't. But does Kerberos do the same check
elsewhere and this isn't really a problem after all? If it doesn't check
user's existence elsewhere, maybe I could just use gss_export_name()s
and compare them instead of display names?..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090717/85c894ee/attachment.bin 


More information about the dovecot mailing list