Re: Kerberos support in standard services

[Karsten Künne <karsten.kuenne@desy.de>]

On Wednesday 06 July 2005 20:16, sxw@dcs.ed.ac.uk wrote:
> On Thu, 7 Jul 2005, Brian May wrote:
> > On this mailing list people have said
> >  * cryus imap and pop support SASL.
> >  * evolution supports GSSAPI (hopefully via SASL?)
>
> The University of Washington imapd supports GSSAPI over SASL, as does
> 'pine'.
>

Mutt also supports it. You can put for instance "set 
imap_authenticators="gssapi:login"" into your .muttrc. And KMail also 
supports it for IMAP, POP, and SMTP, and it can even query the server which 
SASL mechanisms it supports.

> One of the things I've been thinking about for a while is setting up a web
> site about Kerberized protocols - listing protocols, and the options for
> Kerberos compatible clients and servers. It's one of the things that
> continually troubles us when deploying new services. Maybe I should get
> along and do this.
>
> > Once-upon-a-time there was an Apache module for Kerberos
> > authentication. It seemed a bit pointless at the time, because no
> > clients supported it. Also SASL would be better... What is the current
> > status of this module. Does it still exist?
>
> Possibly not the module you're thinking of (there were a number of
> mod_auth_kerb auth modules that just took the user's password and slung it
> at the KDC - not really real Kerberos). But there is now code to support
> Microsoft's HTTP-Negotiate mechanism (GSSAPI/SPNEGO/Kerberos HTTP
> authentication) as an Apache module. HTTP-Negotiate is also supported in
> recent Mozilla and Firefox builds.
>

The Apache module (mod_auth_kerb) works very well. On the client side 
HTTP-Negotiate authentication is also available in Konqueror (actually it's 
in the kio_http ioslave) and I also hacked it into Lynx (but I never got 
around to send patches back).


Karsten.