[Dovecot] Passwordless auth?
Ben Morrow
ben at morrow.me.uk
Fri May 24 18:16:28 EEST 2013
At 9AM +0200 on 24/05/13 you (Wolfgang.Friebel at desy.de) wrote:
> On Fri, 24 May 2013, Ben Morrow wrote:
> > At 4PM -0700 on 23/05/13 you (Dan Mahoney, System Admin) wrote:
> >
> >> I could also create a dovecot-only user with my UID and no other login
> >> privileges, but I'd like this to "just work" for anyone.
> >
> > I believe with the latest 2.2 you can also do this with Kerberos
> > principals, if you're running Kerberos; I haven't looked into this yet,
> > but I mean to (for much the same reason).
>
> To access the mail storage on the imap server you can just speak the imap
> protocol and authenticate against the imap server just like any other mail
> client would do. If you are using Kerberos and have a ticket granting
> ticket (after e.g. kinit) then the authentication against a properly
> configured imap server is done without typing passwords. If the imap
> server does support pam (and dovecot does) then this is handled there.
I didn't quite mean that: yes, that is 'passwordless' in a sense, but
you still have to have typed a password into kinit fairly recently.
What I meant was that with 2.2 it's finally possible to set a list of
krb5 principals for imap which is different from the list in .k5login.
This makes it possible to create special-purpose principals, which can
have their keys put in a keytab, which can then log on as an ordinary
imap user.
This is somewhat similar to the 'ssh keys with a forced command' idea,
except that the whole thing is a good deal more secure because the keys
can be cancelled centrally.
Ben
More information about the dovecot
mailing list