[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GS2-KRB5 on Mac OS X howto
|
From: |
Simon Josefsson |
|
Subject: |
GS2-KRB5 on Mac OS X howto |
|
Date: |
Wed, 31 Mar 2010 01:18:43 +0200 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Folks,
I've blogged a howto on installing GS2-KRB5 on a Mac OS X machine:
http://blog.josefsson.org/2010/03/31/gs2-krb5-in-gnu-sasl-150/
Verbatim text pasted below for easier reference...
/Simon
GS2-KRB5 in GNU SASL 1.5.0
I have worked in the IETF on the specification for the next generation
GSSAPI-to-SASL bridge called GS2 (see my status page for background) for
a couple of years now. The specification is (finally!) in the RFC
editor’s queue, and is supposed to be stable and final although we are
still tuning some details. The next step is to implement the protocol
and do interop testing. A couple of months of implementation and testing
work culminated in tonight’s release of GNU SASL 1.5.0 (see announcement
here). Or should I say that the work can now begin…
To get you started with GS2-KRB5 here is a brief walk-through on
installing GNU SASL 1.5.0 on a Mac OS X machine and using it to connect
to my GS2-KRB5 interop server. I’m assuming you have already installed a
compiler on your system. Start by downloading and installing GNU SASL:
wget -q ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.5.0.tar.gz
tar xfz gsasl-1.5.0.tar.gz
cd gsasl-1.5.0
./configure --prefix=$HOME CFLAGS=-g
make all check install
Next you need to configure Kerberos on your system. If you have already
have a configuration, make sure to take a backup of your configuration
files. First let’s tell your machine about my interop Kerberos V5 realm
by creating a file ~/Library/Preferences/edu.mit.Kerberos with the
following content:
[libdefaults]
default_realm = interop.josefsson.org
[realms]
interop.josefsson.org = {
kdc = interop.josefsson.org:88
}
[domain_realm]
interop.josefsson.org = interop.josefsson.org
Next get a ticket for a dummy user. Use the password ‘pass’ at the prompt:
espresso:~ jas$ kinit address@hidden
Please enter the password for address@hidden:
espresso:~ jas$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: address@hidden
Valid Starting Expires Service Principal
03/31/10 00:59:04 03/31/10 10:59:02 krbtgt/address@hidden
renew until 01/01/70 01:00:00
klist: No Kerberos 4 tickets in credentials cache
espresso:~ jas$
Next connect to my test IMAP server using the command-line ‘gsasl’ tool
(long lines cut for legibility):
espresso:~ jas$ ~/bin/gsasl interop.josefsson.org -auser
Trying `interop.josefsson.org'...
* OK IMAP4rev1
. CAPABILITY
* CAPABILITY ... AUTH=GS2-KRB5
. OK CAPABILITY Completed
. AUTHENTICATE GS2-KRB5
+
biwsAQBuggINMIICCa...
+ YHEGCSqGSIb3EgEC...
. OK AUTHENTICATE GS2-KRB5 authentication successful
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
. list "" "*"
* LIST (\NoInferiors) NIL INBOX
* LIST (\NoInferiors) "/" .bashrc
* LIST (\NoInferiors) "/" .bash_logout
* LIST (\NoInferiors) "/" .profile
* LIST (\NoInferiors) "/" .bash_history
. OK LIST Completed
. logout
* BYE Session terminating.
. OK LOGOUT Completed
Session finished...
. LOGOUT
espresso:~ jas$
There! You have just completed a GS2-KRB5 authenticated session.
Of course, this works just as well on your favorite GNU/Linux system,
but I thought I’d explain it for a non-GNU platform and GSS-API library
to show that the code is quite portable despite its experimental status.
Btw, the server is running GNU Shishi as the Kerberos V5 KDC and GNU
MailUtils as the IMAP server. The IMAP server is using GNU SASL in
server mode.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- GS2-KRB5 on Mac OS X howto,
Simon Josefsson <=