[Dovecot] v1.2.2 released

Timo Sirainen tss at iki.fi
Mon Jul 27 13:41:24 EEST 2009


On Jul 27, 2009, at 5:06 AM, Peter Eriksson wrote:

> "mech-gssapi.c", line 276: undefined symbol: gss_mech_krb5
> "mech-gssapi.c", line 276: warning: improper pointer/integer
> combination: arg #2
..
> "gss_mech_krb5" is not a valid variable on Solaris.

Oh, there are more GSSAPI implementations than just MIT and Heimdal? :)
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/ac2e37e4c2c1

> Do you really have to check that GSSAPI is using Kerberos? Why not
> leave it up to the system to use whatever default authentication  
> mechanism
> is choosen (currently that probably is Kerberos, but other things  
> might
> pop up in the future - you never now). The whole point of using GSSAPI
> is that it should be agnostic to the authentication mechanism used  
> "behind
> the scenes"...

GSSAPI SASL mechanism is meant only for Kerberos. I don't really know  
why. RFC 4752 says:

Upon successful establishment of the security context (i.e.,  
GSS_Accept_sec_context returns GSS_S_COMPLETE), the server SHOULD  
verify that the negotiated GSS-API mechanism is indeed Kerberos V5  
[KRB5GSS]. This is done by examining the value of the mech_type  
parameter returned from the GSS_Accept_sec_context call. If the value  
differs, SASL authentication MUST be aborted.

Also Heimdal's author said that comparing GSSAPI display names is  
dangerous if this check isn't done. That's the main reason I added the  
check.

> Another issue when building 1.2.2 that wasn't there with 1.2.1 is that
> "-lsocket" seems
> to be missing causing linking errors. One example:

Fixed: http://hg.dovecot.org/dovecot-1.2/rev/cd29b745c8dd


More information about the dovecot mailing list