[Dovecot] Enhanced Kerberos support
Richard A Nelson
cowboy at linux.vnet.ibm.com
Wed Nov 14 00:16:57 EET 2007
The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed
for multi-homed (or multi-domained) sites.
SSH recently added this enhancement to address this common need:
GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
against. If “yes” then the client must authenticate against the host service on the current hostname.
If “no” then the client may authenticate against any service key stored in the machine’s default
store. This facility is provided to assist with operation on multi homed machines. The default is
“yes”. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it
to “no” may only work with recent Kerberos GSSAPI libraries.
I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the
interface that the request came in on.
Can either approach be looked at for dovecot ?
Thanks,
--
Richard A Nelson (Rick) cowboy@((linux.)?vnet|us).ibm.com
Phone: 1-408-463-5584 Fax: 1-408-463-3873
COBOL Development IBM Silicon Valley Laboratory
http://www.ibm.com/software/awdtools/cobol/
More information about the dovecot
mailing list