Recipe 4.16 Securing IMAP with Kerberos

Previous page
Table of content
Next page

4.16.1 Problem

You want to take advantage of your MIT Kerberos-5 infrastructure for authentication to your mail server.

4.16.2 Solution

Use a mail client that supports GSSAPI Kerberos authentication via the IMAP AUTHENTICATE command, such as mutt or pine.

If you have set up an IMAP server using imapd , and a Kerberos realm [Recipe 4.11], then most of the work is done: the Red Hat imapd comes with Kerberos support already built in and enabled. All that remains is to add Kerberos principals for the mail service on the server host.

If your username is homer and the mail server is marge, then:

marge# kadmin -p homer/admin Authenticating as principal homer/admin@DOGOOD.ORG with password. Enter password: ******** kadmin: ank -randkey -policy hosts imap/marge.dogood.org Principal "imap/marge.dogood.org@DOGOOD.ORG" created. kadmin: ktadd -k /etc/krb5.keytab imap/marge.dogood.org Entry for principal imap/marge.dogood.org@DOGOOD.ORG with kvno 3,   encryption type  Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/ krb5.keytab. kadmin: quit

Now on any host in the Kerberos realm, your compatible mail client should automatically use your Kerberos credentials, if available:

$ kinit Password for pat@DOGOOD.ORG: ******** $ klist Ticket cache: FILE:/tmp/krb5cc_503 Default principal: pat@DOGOOD.ORG Valid starting     Expires            Service principal 03/05/03 03:48:35  03/05/03 13:48:35  krbtgt/DOGOOD.ORG@DOGOOD.ORG

Then connect with your mail client, such as mutt: [Recipe 8.12]

$ MAIL=imap://pat@marge.dogood.org/   mutt

or pine: [Recipe 8.11]

$ pine -inbox-path='{pat@marge.dogood.org/imap}'

If it works correctly, you will be connected to your mailbox without being asked for a password, and you'll have acquired a Kerberos ticket for IMAP on the mail server:

$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: pat@DOGOOD.ORG Valid starting     Expires            Service principal 03/07/03 14:44:40  03/08/03 00:44:40  krbtgt/DOGOOD.ORG@DOGOOD.ORG 03/07/03 14:44:48  03/08/03 00:44:40  imap/marge.dogood.org@DOGOOD.ORG

4.16.3 Discussion

This technique works for POP as well. With pine, use Kerberos service principal pop/marge.dogood.org@DOGOOD.ORG and a mailbox path ending in /pop. With mutt, however, we were unable to make this work in our Red Hat 8.0 system. There is some confusion about whether the Kerberos principal is pop/... or pop-3/...; also, the actual AUTH GSSAPI data transmitted by the client appears to be truncated, causing authentication failure. We assume this is a bug that will be fixed eventually.

For debugging, remember to examine the KDC syslog messages for clues.

4.16.4 See Also

mutt(1), pine(1). See SSL for Securing Mail, regarding the relationship between SSL and different forms of user authentication.

The Kerberos FAQ has more about GSSAPI: http://www.faqs.org/faqs/kerberos-faq/general/section-84.html.

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
High-Speed Signal Propagation[c] Advanced Black Magic
C++ How to Program (5th Edition)
Special Edition Using FileMaker 8
MPLS Configuration on Cisco IOS Software
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy