>>>>> "Jim" == Jim Alexander <[EMAIL PROTECTED]> writes:
Jim> In article <[EMAIL PROTECTED]>,
Jim> Simon Wilkinson <[EMAIL PROTECTED]> wrote:
Jim> ]At the moment, if the 'Use Secure Authentication' option is
Jim> set for a ]given protocol, the server at the other end offers
Jim> GSSAPI as one of its ]supported SASL mechanisms, and the
Jim> first call to init_secure_context for ]that server succeeds,
Jim> we'll try to do GSSAPI auth against that server. ]If GSSAPI
Jim> fails, then we'll fall back to trying a different
Jim> ]authentication scheme.
Jim> This isn't a correct implementation, then. IMAP "secure
Jim> authentication" is supposed to enable non-cleartext
Jim> authentication when lower-level encryption isn't
Jim> available. It makes no sense to have this enabled to enable
Jim> kerberos auth. You need to be able to separately specify
Jim> that you want kerberos authentication, on a per-account
Jim> basis, without the "Use Secure Authentication" option
Jim> enabled. Since our server does not support secure
Jim> authentication, your implementation does the following right
Jim> now:
sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
definition of IMAP secure authentication.
Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
Jim> a "your server does not support secure authentication"
Jim> dialog. My key manager never prompts me to obtain a ticket.
On Mac and Windows this is not at all what I'd expect. I'd expect you
to be prompted to get tickets.
--Sam
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
