Folks, In debugging why my GSSAPI authenticator (cyrus_sasl driver) had stopped working, I made a number of fixes, which are on the sasl_fixes branch. Does anyone fancy giving them a look over for sanity?
$tls_bits is a new variable; that's fed into sasl_setprop(..,SASL_SSF_EXTERNAL, ...) for the Exim-as-server case. Should probably be done for the client too. In the end, my problems are caused by Heimdal; I've sent mail to heimdal-discuss@: http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/6701 (I noticed this in Heimdal 1.4, not sure when the problem was introduced). In short: KRB5_KTNAME is no longer honoured for processes that have had security boundary transitions, such as Exim. So using a different keytab is impossible at present, thus the client library falls back to trying to get "host/$system_primary_hostname" credentials from the KDC. Once I figure out, or am told, the API to use to override the keytab in source, I'll add a HEIMDAL build-option to Exim and add the knobs to let that be set. This means bypassing the cyrus-sasl abstraction layer, but we don't appear to have a choice. If there's anyone using MIT's Kerberos implementation reading: is there an API call needed to override the keytab there too? -- https://twitter.com/syscomet
pgpIi3QyQDvHl.pgp
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
