[ Team LiB ] [ Team LiB ]

7.7 Kerberos-Enabled Server Packages

While PAM is a great solution for local login on the system console, the real advantages to using Kerberos are only realized if clientserver applications that users interact with are configured for native Kerberos support. Our users now have Kerberos tickets upon login. The next step is to start adding Kerberos support to the application servers that users access. We want users to enjoy the benefits of a fully-Kerberized environment as much as possible, so Ill focus on enabling native Kerberos support in as many packages that support it, but fall back to the single-login capability provided by other packages that do not have built-in Kerberos support. We already saw an example of a network protocol with native Kerberos support back in Chapter 4 , when we configured the Kerberos telnet server to test our new Kerberos implementation. Were going to take that a step further in this section and examine how to add Kerberos support to other popular network protocols.

7.7.1 Electronic Mail Cyrus IMAP

Cyrus IMAP is a part of Project Cyrus, a project developed at Carnegie Mellon University to provide a reliable, scalable electronic mail system for the campus. The Cyrus mail server had, in its original design goals from 1994, many of the same goals of administrators today: the mail service had to scale to thousands of simultaneous readers, it had to support many different clients on different hardware and operating-system platforms, and it had to integrate with the campus-wide authentication system, which happens to be based on Kerberos. Today, Cyrus supports the two major mail access protocols: the Internet Mail Access Protocol IMAP and Post Office Protocol POP. A separate program, a Mail Transfer Agent, handles the task of transferring mail from system to system through the Simple Mail Transfer Protocol SMTP. Newer mail clients support SMTP authentication, and well discuss Kerberos support for MTAs in the next section. Cyrus IMAP is available from Carnegie Mellon at http:asg.web.cmu.educyrusimapd , and the latest stable version available at the time of this writing is 2.1.12. Cyrus IMAP uses the Cyrus SASL library to handle authentication and session encryption tasks. Therefore, before building Cyrus IMAP, youll need a working installation of Cyrus SASL.

7.7.1.1 Building and configuring the distribution

Cyrus IMAP is a complex package and most of the build and configuration options relate to how it handles mail, and not its authentication mechanism. Therefore, were going to focus on the particular options necessary to enable GSSAPI support in Cyrus IMAP. After acquiring the source distribution, untar it and the following configure line will configure Cyrus IMAP for GSSAPI and SASL support: .configure --enable-gssapi=usrlocal --with-sasl=usrlocal [ Team LiB ] [ Team LiB ]