[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Michal Hlavinka mhlavink at redhat.com
Mon Jul 20 10:54:34 EEST 2009


> > > I guess this fixes it again:
> > > http://hg.dovecot.org/dovecot-1.2/rev/f4ff64dd79a9
> >
> > We've tested dovecot with all four available patches (it means up to date
> > mech-gssapi.c ) and it wokrs.
>
> I've been talking with the main Heimdal guy and he thinks that kind of
> checking is scary bad.
>
> One thing that should change at least is that gss_display_name()
> shouldn't be passed to krb5_parse_name(). Instead gss_export_name()
> should be used and its results checked and passed to krb5_parse_name()
> (OpenSSH does this too). But I don't know if that would solve the
> original problem that required me to add the patch mentioned above.
>
> One thing I'm not really sure about in Kerberos is, does both MIT and
> Heimdal require that you are using system users and to have NSS set up
> in a way that Kerberos code can look up users with getpw*() functions? I
> think that's the main thing that krb5_kuserok() does that
> gss_compare_name() doesn't. But does Kerberos do the same check
> elsewhere and this isn't really a problem after all? If it doesn't check
> user's existence elsewhere, maybe I could just use gss_export_name()s
> and compare them instead of display names?..

Unfortunately my Kerberos knowledge is almost equal to zero, so I can't help 
with theory, sorry.


More information about the dovecot mailing list