Re: [jabberd2] digest-md5 breaks gssapi
Hi, I did some further testing and hacked up a little test program that simulates the client behavior ( using a completely different SASL implementation). Apparently the problem is at the client side (i.e Adium/libpurple) which seems not to cleanup properly after the first of its two authentication attempts. So it seems I need to disable digets-md5 in my configurations when using gssapi for the timi being. Ciao Andi -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
[jabberd2] digest-md5 breaks gssapi
Hi, I tried several authentication scenarios with jabberd 2.2.4 (+gsasl 0.2.29) and found that there seems to be a conflict between digest- md5 and gssapi. I tried - gssapi + plain (with ldapfull and PAM), which works - digest-md5 + plain with ldapfull, which works too. Any combination of of gssapi + digest-md5 however causes authentication to fail with either mechanism. One of the clients (Adium) reported it had received a malformed challenge. My suspicion is that both mechanisms trash each others idea of the authentication realm, but that is not very deeply founded. Any idea what to try or look at next ? Ciao Andi -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: [jabberd2] digest-md5 breaks gssapi
Dnia 2009-01-03, sob o godzinie 10:47 +0100, Andreas Hofmeister pisze: My suspicion is that both mechanisms trash each others idea of the authentication realm, but that is not very deeply founded. Any idea what to try or look at next ? 1. Compile jabberd with debugging, then run c2s -D and look for signs of the problem. 2. Look at the decoded SASL exchange (you may find it in debug messages) for incompatibilities. -- -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: [jabberd2] digest-md5 breaks gssapi
Am 03.01.2009 um 14:31 schrieb Tomasz Sterna: Dnia 2009-01-03, sob o godzinie 10:47 +0100, Andreas Hofmeister pisze: My suspicion is that both mechanisms trash each others idea of the authentication realm, but that is not very deeply founded. Any idea what to try or look at next ? 1. Compile jabberd with debugging, then run c2s -D and look for signs of the problem. 2. Look at the decoded SASL exchange (you may find it in debug messages) for incompatibilities. Ok, I logged an attempt with GSSAPI only and one with GSSAPI + Digest- MD5 enabled. In the GSSAPI only case, Adium uses GSSAPI only which succeeds. In the second case, Adium first tries to authenticate using Digest- MD5 and as it has no password, this first attempt fails. It then tries GSSAPI immediately without reseting the connection, but terminates the connection the first challenge. When I compare the successful GSSAPI attempt with the failing one, both look quite similar except that in the failing case the first challenge is 272 instead of 276 Bytes. Ciao Andi -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com