>I've got qpopper 3.1b10x1 compiled successfully on FreeBSD 4.1 with
>Kerberos V support. I've got kuserok() and ksockinst() enabled as
>well. popper is in /etc/inetd.conf with the line:
>
>pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s -k -K pop3
>
>Everything seems to be fine, until I actually try to authenticate through
>the pop server:
>
>bash# telnet localhost 110
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>user jeremy
>-ERR recvauth failed--Bad sendauth version was sent
Yes, that's what should happen when you try doing that. I did that
Kerberos support, so let me speak to it.
The Kerberos support in qpopper is what us folks in the Kerberos community
like to call "real" Kerberos support. By that, we mean that it requires
the use of a Kerberos ticket for authentication, and has all of the
advantages of doing that (forward secrecy, single sign-on, mutual
authentication, not cleartext, etc etc).
The big disadvantage here is that it requires a modified client that
knows how to squirt out the necessary blob of data required by the
Kerberos-aware qpopper. Surprise, surprise; the major consumer of
this is Eudora, which provides a plug-in interface to do this at
connection start time. There are patches (and in some cases, native
support) for doing this for other mailers (but Eudora is the only
commercial product that I'm aware of that does ANY form of Kerberos
authentication).
Now, it sounds like what YOU want is to verify a password against
a Kerberos password database. This is what we in the Kerberos community
call "Kerberos Password Verification". We also call it a lot of other
things that perhaps aren't suitable for a public mailing list, but
a common one is "Giant Security Hole", or "How to Get All the
Disadvantages of Kerberos, but None of the Advantages".
Now, if you are going into this with your eyes open, and understand
the risks associated with this ... then hey, I guess I won't really
say any more (other than to wonder why would you bother). Let's
put further snide comments aside, though, and concentrate on something
that's actually useful for your situation.
If you want to do "Kerberos Password Verification", then that code
hasn't been written. You'd need to write it. You could use the
examples in the Kerberos login program as a starting point.
In an aside, I would be negligent if I didn't mention that the current
protocol used in qpopper (sometimes called KPOP), is completely non-
standard and has some noticable drawbacks (like no way to do session
encryption). I've written the code to do Kerberos authentication via
the IETF standards-track mechanism, which I've posted about here (this
is the SASL stuff using the Cyrus SASL library). The big sticking
point is that there's no way within Eudora to do the proper type of
authentication. If you have interest in support for "real" Kerberos
authentication, then I'd encourage you to send email to the Eudora
support people and ask for GSSAPI SASL support for POP and IMAP.
(The current sense I've gotten from them is not enough customers are
interested in it).
--Ken
