[Psi-Devel] GSSAPI / Kerberos single-signon
Justin Karneges
justin-psi2 at affinix.com
Sat Nov 10 13:01:06 PST 2007
Hi,
A couple of years ago, Simon Wilkinson suggested on Psi-devel how to enable
Psi to use GSSAPI logins. This allows Psi to login without a password, for
example on a Kerberos network.
His work can be found here:
http://www.sxw.org.uk/computing/patches/jabber.html
Thread:
http://lists.affinix.com/htdig.cgi/psi-devel-affinix.com/2005-July/003992.html
At the time, he modified Psi 0.9.3, and essentially his patch does the
following:
- Enable SASL in Iris
- Fall back to a different mechanism if GSSAPI fails
This was enough to get Psi working, presumably with his jabberd2 deployment.
Today, in 0.11, we have SASL enabled in Iris. This means that Psi
works "out-of-the-box" with GSSAPI, provided you have the qca-cyrus-sasl
plugin installed.
I tested this myself by using Psi against Ambrosia (okay, strange server
example), and I was able to login. It might be nice to try Psi against some
real Jabber server, too. I'm pretty sure Psi is working right though, since
according to Simon, all we had to do was enable SASL, and we've done that.
Open issues:
1) We should fall back to a different mechanism if GSSAPI fails. See
Simon's psi-devel post about this.
2) Psi requires a password to be input for an account or it won't try to
login. We should show this password prompt only if Iris requests a password.
For now you can just type a bogus password to get logged in.
3) Decide what to do about shipping/recommending qca-cyrus-sasl.
-Justin
More information about the Psi-Devel
mailing list