At 9AM +0200 on 24/05/13 you (Wolfgang.Friebel@desy.de) wrote:
On Fri, 24 May 2013, Ben Morrow wrote:
At 4PM -0700 on 23/05/13 you (Dan Mahoney, System Admin) wrote:
I could also create a dovecot-only user with my UID and no other login privileges, but I'd like this to "just work" for anyone.
I believe with the latest 2.2 you can also do this with Kerberos principals, if you're running Kerberos; I haven't looked into this yet, but I mean to (for much the same reason).
To access the mail storage on the imap server you can just speak the imap protocol and authenticate against the imap server just like any other mail client would do. If you are using Kerberos and have a ticket granting ticket (after e.g. kinit) then the authentication against a properly configured imap server is done without typing passwords. If the imap server does support pam (and dovecot does) then this is handled there.
I didn't quite mean that: yes, that is 'passwordless' in a sense, but you still have to have typed a password into kinit fairly recently.
What I meant was that with 2.2 it's finally possible to set a list of krb5 principals for imap which is different from the list in .k5login. This makes it possible to create special-purpose principals, which can have their keys put in a keytab, which can then log on as an ordinary imap user.
This is somewhat similar to the 'ssh keys with a forced command' idea, except that the whole thing is a good deal more secure because the keys can be cancelled centrally.
Ben