[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos support in standard services
On Wednesday 06 July 2005 20:16, firstname.lastname@example.org wrote:
> On Thu, 7 Jul 2005, Brian May wrote:
> > On this mailing list people have said
> > * cryus imap and pop support SASL.
> > * evolution supports GSSAPI (hopefully via SASL?)
> The University of Washington imapd supports GSSAPI over SASL, as does
Mutt also supports it. You can put for instance "set
imap_authenticators="gssapi:login"" into your .muttrc. And KMail also
supports it for IMAP, POP, and SMTP, and it can even query the server which
SASL mechanisms it supports.
> One of the things I've been thinking about for a while is setting up a web
> site about Kerberized protocols - listing protocols, and the options for
> Kerberos compatible clients and servers. It's one of the things that
> continually troubles us when deploying new services. Maybe I should get
> along and do this.
> > Once-upon-a-time there was an Apache module for Kerberos
> > authentication. It seemed a bit pointless at the time, because no
> > clients supported it. Also SASL would be better... What is the current
> > status of this module. Does it still exist?
> Possibly not the module you're thinking of (there were a number of
> mod_auth_kerb auth modules that just took the user's password and slung it
> at the KDC - not really real Kerberos). But there is now code to support
> Microsoft's HTTP-Negotiate mechanism (GSSAPI/SPNEGO/Kerberos HTTP
> authentication) as an Apache module. HTTP-Negotiate is also supported in
> recent Mozilla and Firefox builds.
The Apache module (mod_auth_kerb) works very well. On the client side
HTTP-Negotiate authentication is also available in Konqueror (actually it's
in the kio_http ioslave) and I also hacked it into Lynx (but I never got
around to send patches back).