> I am confused by what people mean when they say "Kerberos
> authenticated POP" in this thread. Do you mean "POP client sends
> cleartext password to POP server which uses it to authenticate with
> AFS Kerberos", or do you mean "POP client uses Kerberos service ticket
> to authenticate securely with POP server"?
Yes. I think most people here are talking about the latter, but
we're actually using both. For our users who don't have Kerberos-aware
POP clients, we provide a pop3 server that accepts a username and
password, then attempts to get Kerberos tickets as <username>.mail.
That way, users can have a separate insecure password used only for
reading mail, which is not able to do anything else.
> I'm hoping that I will not have to switch from AFS Kerberos to MIT
> Kerberos.
No problem here - the kaserver speaks the MIT Kerberos V4 protocol,
so and V4 clients will work correctly with your kaservers.
> The only freeware Unix MUAs which do POP seem to be mh, PINE, and
> Mutt. I strongly dislike mh. Unless something has changed recently,
> PINE does not do "disconnected mode" with either POP or IMAP - a fact
> which is as disgusting as it is astonishing. Mutt does POP correctly,
> but does not do Kerberized POP (as far as I know). Mutt is in "alpha",
> but works quite well, supports MIME and PGP, and has a nice user
> interface.
Actually, ML (http://www-camis.stanford.edu/projects/imap/ml) also
does POP, as does anything that uses the c-client library used by Pine.
Such programs don't to Kerberized POP or IMAP out of the box, but
patches are readily available for Kerberized IMAP, which will
eventually appear in the standard distribution (any may already).
I've recently done some work on c-client to make it do Kerberized
POP as well; I'll be happy to send those patches to any US parties
who are interested.
> Netscape 3 and 4 do POP, but not Kerberized. Netscape can also use
> "movemail", but "movemail" does not seem to support Kerberized POP
> (but I'll bet it could).
I believe we have a movemail for netscape that does do Kerberized
POP. If you're interested, let me know, and I'll look into it.
> On PCs and Macs, Netscape is the same as on Unix, but without "movemail".
> Eudora supports POP with or without Kerberos, but I'm not sure whether
> or not it will work with AFS Kerberos.
Basically, anything that works with V4 Kerberos with work with AFS.
The more annoying problem here is the pop server - there are two
slightly different de facto standards for how to do the authentication:
Qualcomm's way and everyone else's. Fortunately, the difference is
small enough that you can decide at compile time which to support,
and, depending on your Kerberos library, possibly support both.
> The only circumstance in which I think Kerberos authentication would
> pose a performance problem is when the POP or IMAP server is obtaining
> an AFS fileservice ticket in addition to simply authenticating with
> Kerberos. This is harmful and unnecessary.
That's true. The most harmful part, though, is getting AFS _tokens_
for each user. Once you get tokens, a PAG is created, and doesn't
get cleaned up until up to 2 hours after the tokens are expired or
discarded. So, if you get tokens and don't to 'unlog' or some
equivalent operation, then you start to leak memory on a machine
that has many authentications happening.
> I would appreciate any corrections/additions to the above. Especially
> useful would be cookbook instructions on using AFS Kerberos for POP
> authentication.
I'll be happy to send along my patches to Pine to do Kerberized POP,
if your interested....
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
