On Mon, 2004-07-12 at 17:49 +0300, Timo Sirainen wrote:
On Mon, 2004-07-12 at 17:20, Colin Walters wrote:
I've been working on a patch for GSSAPI (Kerberos) support. It seems to work pretty well for authentication (I've tested it with Evolution, fetchmail, and mutt). I have also been working on implementing integrity/confidentiality protection. Unfortunately not many clients support this - the only one I've found really is mutt, which seems to disconnect from the server for some unknown reason not long after a Kerberos-secured conversation. I'm still trying to track that down.
But anyways the patch is far along enough that I think it's worthy of review and testing.
Thanks, I took a quick look through and it looked good.
Cool, thanks. I'd like to have it actually working with mutt before it goes in, but if you don't see any architectural problems, that's encouraging.
Integrity proxy should perhaps be moved into lib-auth in case it gets useful for other things than login process.
Hm. I was modeling the integrity support after the SSL support, since conceptually it's very similar. I'm not sure which other process would use the integrity support? Both POP3 and IMAP define integrity and confidentiality as starting after authentication, so it would only come into play after the auth process was used. I don't see how master would use it sensibly. I think it would be difficult to use from the imap process since that runs only with user privilege, and at least Kerberos requires access to the keytab file, which should not be readable by regular users.