[31733] in Kerberos
Re: XMPP & Kerberos 5
daemon@ATHENA.MIT.EDU (Garrett Wollman)
Mon Nov 30 14:04:37 2009
From: wollman@bimajority.org (Garrett Wollman)
Date: Mon, 30 Nov 2009 18:49:54 +0000 (UTC)
Message-ID: <hf144h$312m$2@grapevine.csail.mit.edu>
X-Complaints-To: security@csail.mit.edu
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In article <mailman.32.1259603328.4612.kerberos@mit.edu>,
Russ Allbery <rra@stanford.edu> wrote:
>The correct way of using Kerberos is for the user's credentials to never
>leave the local system. In practice, it's an ideal that usually can't be
>reached, but every place where the Kerberos password leaves the local
>system and is validated on a remote system is a place that's going to
>break when you want to switch to something better than passwords, such as
>smart-card authentication.
On our systems, we require users to have two distinct passwords: their
Kerberos password, which is only used for login-equivalent
authentication and certificate generation, and their "email" password,
which is used by the IMAP server (Cyrus), the outgoing mail relay
(Exim), and the XMPP server (eJabberd). Doing this for IMAP was
necessary in order to support webmail, and having done so, it made
sense to piggyback other applications requiring non-login password
authentication on the IMAP passwords. I don't know how many users
have ended up changing their two passwords to be the same (we
discourage that but we don't have a mechanism to prevent it), but we
ensure that they at least start out different.
Since no commonly-used XMPP clients support GSSAPI authentication, we
have not looked seriously at supporting it on the server side. We do
support it for email.
-GAWollman
(in this case writing from, but not for, MIT CSAIL)
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wollman@bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
