[Psi-Devel] GSSAPI / Kerberos single-signon

[Simon Wilkinson]

On 10 Nov 2007, at 21:01, Justin Karneges wrote:

> A couple of years ago, Simon Wilkinson suggested on Psi-devel how  
> to enable
> Psi to use GSSAPI logins.  This allows Psi to login without a  
> password, for
> example on a Kerberos network.

I'm still lurking on this list. Hopefully I'll get a chance to try  
out 0.11 against our Kerberised Jabber service shortly. Over time  
some things have become a little clearer than when I originally wrote  
that patch. In particular, it's important that the SASL libraries use  
the FQDN of the server being connected to (after any SRV resolution),  
rather than the domain of the user's JID, when providing the service  
name to Cyrus. I don't know if Psi is doing this, but it's worth  
checking, as it seems to be the single largest cause of client side  
problems with GSSAPI.

> This was enough to get Psi working, presumably with his jabberd2  
> deployment.

It was with Jabberd2 originally, yes. Whilst that code is still in  
Jabberd2, you need to build that server with the Cyrus, rather than  
GSASL libraries. Many other servers now also have SASL and GSSAPI  
support available.

> Open issues:
>   1) We should fall back to a different mechanism if GSSAPI fails.   
> See
> Simon's psi-devel post about this.

This is pretty important from a usability perspective. I think my  
original post described how the control flow should work, but I'm  
happy to offer further comments.

Cheers,

Simon.