I have worked in the IETF on the specification for the next generation GSSAPI-to-SASL bridge called GS2 (see my status page for background) for a couple of years now. The specification is (finally!) in the RFC editor’s queue, and is supposed to be stable and final although we are still tuning some details. The next step is to implement the protocol and do interop testing. A couple of months of implementation and testing work culminated in tonight’s release of GNU SASL 1.5.0 (see announcement here). Or should I say that the work can now begin…
To get you started with GS2-KRB5 here is a brief walk-through on installing GNU SASL 1.5.0 on a Mac OS X machine and using it to connect to my GS2-KRB5 interop server. I’m assuming you have already installed a compiler on your system. Start by downloading and installing GNU SASL:
wget -q ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.5.0.tar.gz tar xfz gsasl-1.5.0.tar.gz cd gsasl-1.5.0 ./configure --prefix=$HOME CFLAGS=-g make all check install
Next you need to configure Kerberos on your system. If you have already have a configuration, make sure to take a backup of your configuration files. First let’s tell your machine about my interop Kerberos V5 realm by creating a file ~/Library/Preferences/edu.mit.Kerberos with the following content:
[libdefaults]
default_realm = interop.josefsson.org
[realms]
interop.josefsson.org = {
kdc = interop.josefsson.org:88
}
[domain_realm]
interop.josefsson.org = interop.josefsson.org
Next get a ticket for a dummy user. Use the password ‘pass’ at the prompt:
espresso:~ jas$ kinit [email protected] Please enter the password for [email protected]: espresso:~ jas$ klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: [email protected] Valid Starting Expires Service Principal 03/31/10 00:59:04 03/31/10 10:59:02 krbtgt/[email protected] renew until 01/01/70 01:00:00 klist: No Kerberos 4 tickets in credentials cache espresso:~ jas$
Next connect to my test IMAP server using the command-line ‘gsasl’ tool (long lines cut for legibility):
espresso:~ jas$ ~/bin/gsasl interop.josefsson.org -auser Trying `interop.josefsson.org'... * OK IMAP4rev1 . CAPABILITY * CAPABILITY ... AUTH=GS2-KRB5 . OK CAPABILITY Completed . AUTHENTICATE GS2-KRB5 + biwsAQBuggINMIICCa... + YHEGCSqGSIb3EgEC... . OK AUTHENTICATE GS2-KRB5 authentication successful Client authentication finished (server trusted)... Enter application data (EOF to finish): . list "" "*" * LIST (NoInferiors) NIL INBOX * LIST (NoInferiors) "/" .bashrc * LIST (NoInferiors) "/" .bash_logout * LIST (NoInferiors) "/" .profile * LIST (NoInferiors) "/" .bash_history . OK LIST Completed . logout * BYE Session terminating. . OK LOGOUT Completed Session finished... . LOGOUT espresso:~ jas$
There! You have just completed a GS2-KRB5 authenticated session.
Of course, this works just as well on your favorite GNU/Linux system, but I thought I’d explain it for a non-GNU platform and GSS-API library to show that the code is quite portable despite its experimental status.
Btw, the server is running GNU Shishi as the Kerberos V5 KDC and GNU MailUtils as the IMAP server. The IMAP server is using GNU SASL in server mode.
Pingback: Bridging SASL and GSS-API: GS2 « Simon Josefsson’s blog
Pingback: GS2-KRB5 using GNU SASL and MIT Kerberos for Windows « Simon Josefsson’s blog
I realize that this is 3 years old by now, but I thought I’d mention anyway:
1) Password does not work anymore.
2) The [libdefaults] section is not needed.
3) The [realms] section changes could be avoided if your domain had:
_kerberos._udp.interop.josefsson.org. SRV 0 0 88 interop.josefsson.org.
_kerberos._tcp.interop.josefsson.org. SRV 0 0 88 interop.josefsson.org.
4) The [domain_realm] section changes could be avoided if the realm was in upper-case. Some, but not all, systems also use:
_kerberos.interop.josefsson.org. TXT “interop.josefsson.org”