At 9AM +0200 on 24/05/13 you ([email protected]) wrote: > On Fri, 24 May 2013, Ben Morrow wrote: > > At 4PM -0700 on 23/05/13 you (Dan Mahoney, System Admin) wrote: > > > >> I could also create a dovecot-only user with my UID and no other login > >> privileges, but I'd like this to "just work" for anyone. > > > > I believe with the latest 2.2 you can also do this with Kerberos > > principals, if you're running Kerberos; I haven't looked into this yet, > > but I mean to (for much the same reason). > > To access the mail storage on the imap server you can just speak the imap > protocol and authenticate against the imap server just like any other mail > client would do. If you are using Kerberos and have a ticket granting > ticket (after e.g. kinit) then the authentication against a properly > configured imap server is done without typing passwords. If the imap > server does support pam (and dovecot does) then this is handled there.
I didn't quite mean that: yes, that is 'passwordless' in a sense, but you still have to have typed a password into kinit fairly recently. What I meant was that with 2.2 it's finally possible to set a list of krb5 principals for imap which is different from the list in .k5login. This makes it possible to create special-purpose principals, which can have their keys put in a keytab, which can then log on as an ordinary imap user. This is somewhat similar to the 'ssh keys with a forced command' idea, except that the whole thing is a good deal more secure because the keys can be cancelled centrally. Ben
