[Dovecot] GSSAPI cross-realm still broken

Bryan Jacobs no at landwarsin.asia
Tue Mar 3 19:57:24 EET 2009

I've been trying to track down some problems with Dovecot in a Kerberos
5 cross-realm environment, and there seem to be a few issues.
LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to

On line 436 of src/auth/mech-gssapi.c, the authn_name and the
authz_name are compared using gss_compare_name.  This dates back to the
message at:

While everything within that message is true, as things stand, Dovecot
is unusable in a cross-realm environment.  When cross-realm tickets are
used, the authn_name is "username at REALM" and the authz_name is
"username" (or vice versa, I don't remember).  The attached patch
causes dovecot to display these two values in human-readable format to
illustrate the issue.  Because these two GSS names differ, Dovecot
refuses to allow access in spite of the fact that krb5_kuserok would
return TRUE.

I am not the only one to have noticed this problem:

Might I suggest that some more robust security checking be done instead
of abusing gss_compare_name like this?  I don't know how to do
this using GSSAPI, but on the Kerberos side Heimdal provides the
function krb5_kuserok.  Dovecot could also just have a configurable
file listing acceptable krb5 principals (preferably in .k5login syntax)
and check that both auth_name and authz_name are in the list.

Bryan Jacobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authnmis2.patch
Type: text/x-patch
Size: 1646 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090303/4452ebb0/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090303/4452ebb0/attachment-0001.bin 

More information about the dovecot mailing list