Re: jabberd2 sasl auth with gsasl, gss and shishi

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: jabberd2 sasl auth with gsasl, gss and shishi

From:	Simon Josefsson
Subject:	Re: jabberd2 sasl auth with gsasl, gss and shishi
Date:	Mon, 21 Nov 2011 12:54:28 +0100
User-agent:	Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)

Andrés More <address@hidden> writes:

> Hi,
>
> I'm trying to put together latest versions of jabberd2, gsasl, gss and shishi.
> I would like to authenticate XMPP clients accessing Jabberd2 thru Kerberos.
>
> http://ftp.gnu.org/gnu/shishi/shishi-1.0.0.tar.gz
> http://ftp.gnu.org/gnu/gss/gss-1.0.1.tar.gz
> http://ftp.gnu.org/gnu/gsasl/gsasl-1.6.1.tar.gz
>
> I've manually compiled all the stuff, 'make check' is passing
> everywhere [1], I've setup a shisa DB and I can use shishi to get
> tickets as expected. However when trying to use Jabberd2 SASL it won't
> list GSSAPI or GS2-KRB5 as available mechanisms.
>
> I think I've isolated the issue by using the gsasl command [2]. It is
> not listing GSSAPI when asking for --server-mechanisms. I've tried to
> follow the code callbacks in gsasl and gss without success...
>
> What can I do to find out more troubleshooting information? I've read
> most of what I've found in the web but I'm still lost [3]. I apologize
> in advance if I'm not reaching the right mailing list.

Have you created a Kerberos servtab for the server?  The GSS-API server
checks whether there is a secret key file for it, and if there is none,
it disables itself.  Normally you should have /etc/shishi.keys with a
key for the service, which in your test below would be named
'xmpp/gentoo'.

Thanks for testing!  I know documentation on setting up a Shishi-based
server could be better, improvements are welcome if you figure it out.

/Simon

> Thanks!
>
> -- Andres
>
> [1]
> BTW, I've found that the gsasl_nonce test needs too much entryophy so
> I had to install rng-tool, so it won't run properly in a VM.
>
> Self test `./simple' finished with 0 errors
> PASS: simple
> gsasl_nonce
> ^C
> $ cat /proc/sys/kernel/random/entropy_avail
> 14
>
> [2]
> $ gsasl --client-mechanisms
> Enter base64 encoded tls-unique channel binding: 123
> This client supports the following mechanisms:
> ANONYMOUS EXTERNAL LOGIN PLAIN SECURID NTLM DIGEST-MD5 CRAM-MD5 GSSAPI 
> GS2-KRB5
> $ gsasl --server-mechanisms
> Enter base64 encoded tls-unique channel binding: 123
> Enter GSSAPI service name (e.g. "imap"): xmpp
> Enter hostname of server: gentoo
> This server supports the following mechanisms:
> ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5
>
> [3]
> the output example at the end of the shishi manual walk-through does
> not make sense to me, maybe I'm missing something there.
> http://www.gnu.org/s/shishi/manual/shishi.html 'we illustrate using
> the TGS service as well'

[Prev in Thread]

Current Thread

[Next in Thread]

jabberd2 sasl auth with gsasl, gss and shishi, Andrés More, 2011/11/01
- Re: jabberd2 sasl auth with gsasl, gss and shishi, Simon Josefsson <=

Prev by Date: Re: Trouble linking to gsasl 1.6.1 on Mac OS Lion
Next by Date: Re: [PATCH] ignore untagged responses during IMAP authentication
Previous by thread: jabberd2 sasl auth with gsasl, gss and shishi
Next by thread: gsasl stops working in Fedora 16
Index(es):
- Date
- Thread