[Psi-Devel] GSSAPI / Kerberos single-signon

[Laurent Pinchart]

Hi Justin,

On Saturday 10 November 2007, Justin Karneges wrote:
> Hi,
>
> A couple of years ago, Simon Wilkinson suggested on Psi-devel how to enable
> Psi to use GSSAPI logins.  This allows Psi to login without a password, for
> example on a Kerberos network.
>
> His work can be found here:
> http://www.sxw.org.uk/computing/patches/jabber.html
> Thread:
> http://lists.affinix.com/htdig.cgi/psi-devel-affinix.com/2005-July/003992.h
>tml
>
> At the time, he modified Psi 0.9.3, and essentially his patch does the
> following:
>   - Enable SASL in Iris
>   - Fall back to a different mechanism if GSSAPI fails
>
> This was enough to get Psi working, presumably with his jabberd2
> deployment.
>
> Today, in 0.11, we have SASL enabled in Iris.  This means that Psi
> works "out-of-the-box" with GSSAPI, provided you have the qca-cyrus-sasl
> plugin installed.
>
> I tested this myself by using Psi against Ambrosia (okay, strange server
> example), and I was able to login.  It might be nice to try Psi against
> some real Jabber server, too.  I'm pretty sure Psi is working right though,
> since according to Simon, all we had to do was enable SASL, and we've done
> that.

I've been able to get Psi to authenticate against jabberd2 using GSSAPI.

> Open issues:
>   1) We should fall back to a different mechanism if GSSAPI fails.  See
> Simon's psi-devel post about this.
>   2) Psi requires a password to be input for an account or it won't try to
> login.  We should show this password prompt only if Iris requests a
> password. For now you can just type a bogus password to get logged in.

Agreed, but there might be a timeout issue with some servers. I recently got 
disconnected from jabber.org while negotiating TLS because I didn't dismiss 
the TLS certificate warning fast enough. Not sure if the short timeout is 
applied to authentication as well.

>   3) Decide what to do about shipping/recommending qca-cyrus-sasl.

--
Laurent Pinchart