>I am confused by what people mean when they say "Kerberos
>authenticated POP" in this thread. Do you mean "POP client sends
>cleartext password to POP server which uses it to authenticate with
>AFS Kerberos", or do you mean "POP client uses Kerberos service ticket
>to authenticate securely with POP server"?
>
>I have the former. I am clearly looking for the latter.
I believe that when people say "AFS Kerberos authenticated POP", they
are talking about the former, because the latter is actually difficult
to impossible.
In short:
- AFS Kerberos discards the TGT after authentication has been completed,
so all you're left with is an AFS service key, and no way to get any
other service keys.
- To use the AFS service key for authentication, you'd have to store
the AFS fileserver key on your POP server, _and_ you'd have to create
_another_ unspecificed KPOP protocol :-)
>I'm hoping that I will not have to switch from AFS Kerberos to MIT
>Kerberos.
Obviously, I don't see anything wrong with doing that :-) But as
Jeff Hutzelman already pointed out, the kaserver implements a mostly-
correct V4 KDC; you'll just have to change your client login process
to get a Kerberos TGT.
>I have collected the following data in my investigations:
>
>The only freeware Unix MUAs which do POP seem to be mh, PINE, and
>Mutt. I strongly dislike mh. Unless something has changed recently,
>PINE does not do "disconnected mode" with either POP or IMAP - a fact
>which is as disgusting as it is astonishing. Mutt does POP correctly,
>but does not do Kerberized POP (as far as I know). Mutt is in "alpha",
>but works quite well, supports MIME and PGP, and has a nice user
>interface.
There are also the POP mail grabbers like "fetchmail" that could easily
be Kerberized if they aren't already.
>Netscape 3 and 4 do POP, but not Kerberized. Netscape can also use
>"movemail", but "movemail" does not seem to support Kerberized POP
>(but I'll bet it could).
Actually, older versions of V5 included a Kerberos movemail ... but for
some reason, the output format for it is different if you're getting
messages via POP, so it breaks when you use it with Netscape.
>On PCs and Macs, Netscape is the same as on Unix, but without "movemail".
>Eudora supports POP with or without Kerberos, but I'm not sure whether
>or not it will work with AFS Kerberos.
I believe the Kerberos software used by the PC version of Eudora
doesn't support the AFS string-to-key algorithm, but the Mac one
does. At least, that's what I remember from when I was doing our
migration.
>The only circumstance in which I think Kerberos authentication would
>pose a performance problem is when the POP or IMAP server is obtaining
>an AFS fileservice ticket in addition to simply authenticating with
>Kerberos. This is harmful and unnecessary.
Right, and that's why I wrote auth-noticket, available at:
/afs/transarc.com/public/afs-contrib/tools/auth-noticket
(which doesn't do what you want, unfortunately).
--Ken
