[Dovecot] v1.2.2 released
Timo Sirainen
tss at iki.fi
Mon Jul 27 13:41:24 EEST 2009
On Jul 27, 2009, at 5:06 AM, Peter Eriksson wrote:
> "mech-gssapi.c", line 276: undefined symbol: gss_mech_krb5
> "mech-gssapi.c", line 276: warning: improper pointer/integer
> combination: arg #2
..
> "gss_mech_krb5" is not a valid variable on Solaris.
Oh, there are more GSSAPI implementations than just MIT and Heimdal? :)
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/ac2e37e4c2c1
> Do you really have to check that GSSAPI is using Kerberos? Why not
> leave it up to the system to use whatever default authentication
> mechanism
> is choosen (currently that probably is Kerberos, but other things
> might
> pop up in the future - you never now). The whole point of using GSSAPI
> is that it should be agnostic to the authentication mechanism used
> "behind
> the scenes"...
GSSAPI SASL mechanism is meant only for Kerberos. I don't really know
why. RFC 4752 says:
Upon successful establishment of the security context (i.e.,
GSS_Accept_sec_context returns GSS_S_COMPLETE), the server SHOULD
verify that the negotiated GSS-API mechanism is indeed Kerberos V5
[KRB5GSS]. This is done by examining the value of the mech_type
parameter returned from the GSS_Accept_sec_context call. If the value
differs, SASL authentication MUST be aborted.
Also Heimdal's author said that comparing GSSAPI display names is
dangerous if this check isn't done. That's the main reason I added the
check.
> Another issue when building 1.2.2 that wasn't there with 1.2.1 is that
> "-lsocket" seems
> to be missing causing linking errors. One example:
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/cd29b745c8dd
More information about the dovecot
mailing list