[Dovecot] Enhanced Kerberos support

Timo Sirainen tss at iki.fi
Mon Nov 26 15:54:59 EET 2007 

On Tue, 2007-11-13 at 14:16 -0800, Richard A Nelson wrote:
> The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed
> for multi-homed (or multi-domained) sites.

I haven't implemented Dovecot's GSSAPI code and my GSSAPI/Kerberos
knowledge is pretty limited. I guess some day I should find out more
about it. So, Cc'd Jelmer in case he has some comments/ideas.

> SSH recently added this enhancement to address this common need:
> 
>       GSSAPIStrictAcceptorCheck
>               Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
>               against. If “yes” then the client must authenticate against the host service on the current hostname.
>               If “no” then the client may authenticate against any service key stored in the machine’s default
>               store. This facility is provided to assist with operation on multi homed machines.  The default is
>               “yes”.  Note that this option applies only to protocol version 2 GSSAPI connections, and setting it
>               to “no” may only work with recent Kerberos GSSAPI libraries.

Somehow this doesn't sound a very good idea.

> I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the
> interface that the request came in on.

I guess this would mean a PTR DNS lookup for the local IP? I've wanted
to avoid DNS lookups in Dovecot so far, but proxying would also want to
use them..

I guess blocking DNS lookups for local IPs should be pretty safe and
fast. Perhaps a new %D variable modifier, so you could do
auth_gssapi_hostname = %Dl. Since these shouldn't be used for remote
lookups, Dovecot could also cache them (with upper limit 100 or
something).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20071126/50f2bbf5/attachment.bin

More information about the dovecot mailing list