[Psi-Devel] GSSAPI / Kerberos single-signon

Simon Wilkinson simon at sxw.org.uk
Sat Nov 10 13:52:18 PST 2007 

On 10 Nov 2007, at 21:40, Justin Karneges wrote:

> On Saturday 10 November 2007 1:16 pm, Simon Wilkinson wrote:
>> that patch. In particular, it's important that the SASL libraries use
>> the FQDN of the server being connected to (after any SRV resolution),
>> rather than the domain of the user's JID, when providing the service
>> name to Cyrus. I don't know if Psi is doing this, but it's worth
>> checking, as it seems to be the single largest cause of client side
>> problems with GSSAPI.
>
> We were wondering about this as well.  Do you have any reference/ 
> spec that
> shows we should use the target server being connected to?

There's not that much that's useful specification wise in this space  
at the moment (and it's all going to change again when domain based  
naming for GSSAPI becomes widely available). I've had a number of  
conversations on the jdev and kerberos mailings list about this which  
I can dig up some references for if that would help, and it's also  
worth looking at what the email clients do in this space, too.

The best I can give you at the moment is in terms of this reference  
from the SASL headers:

/* initialize a client exchange based on the specified mechanism
*  service       -- registered name of the service using SASL (e.g.  
"imap")
*  serverFQDN    -- the fully qualified domain name of the server
*/

That is, Cyrus expects you to pass a FQDN in for the server, not an  
alias. Compare this with the language in RFC4752 (which defines the  
GSSAPI SASL mechanism), which says that the GSSAPI identity of the  
server is '"service at hostname" where "service" is the service name  
specified in the protocol's profile, and "hostname" is the fully  
qualified host name of the server' - so you have to be able to tell  
the GSSAPI mechanism the FQDN of the server it's connecting to.

Neither DIGEST-MD5 (RFC2831) nor PLAIN (RFC4616) use the FQDN for  
anything, so setting it to the correct value should have no effect.  
It's what all of the other Jabber GSSAPI implementations that I am  
aware of are now doing.

Cheers,

Simon.

More information about the Psi-Devel mailing list