[ Team LiB ]
[ Team LiB ]
7.7 Kerberos-Enabled Server Packages
While PAM is a great solution for local login on the system console, the real advantages to using Kerberos are only realized if clientserver applications that users interact with are configured for native
Kerberos support.
Our users now have Kerberos tickets upon login. The next step is to start adding Kerberos support to the application servers that users access. We want users to enjoy the benefits of a fully-Kerberized
environment as much as possible, so Ill focus on enabling native Kerberos support in as many packages that support it, but fall back to the single-login capability provided by other packages that do not have
built-in Kerberos support.
We already saw an example of a network protocol with native Kerberos support back in Chapter 4
, when we configured the Kerberos telnet server to test our new Kerberos implementation. Were going
to take that a step further in this section and examine how to add Kerberos support to other popular network protocols.
7.7.1 Electronic Mail Cyrus IMAP
Cyrus IMAP is a part of Project Cyrus, a project developed at Carnegie Mellon University to provide a reliable, scalable electronic mail system for the campus. The Cyrus mail server had, in its original design
goals from 1994, many of the same goals of administrators today: the mail service had to scale to thousands of simultaneous readers, it had to support many different clients on different hardware and
operating-system platforms, and it had to integrate with the campus-wide authentication system, which happens to be based on Kerberos. Today, Cyrus supports the two major mail access protocols: the
Internet Mail Access Protocol IMAP and Post Office Protocol POP. A separate program, a Mail Transfer Agent, handles the task of transferring mail from system to system through the Simple Mail
Transfer Protocol SMTP. Newer mail clients support SMTP authentication, and well discuss Kerberos support for MTAs in the next section.
Cyrus IMAP is available from Carnegie Mellon at http:asg.web.cmu.educyrusimapd
, and the latest stable version available at the time of this writing is 2.1.12. Cyrus IMAP uses the Cyrus SASL library to
handle authentication and session encryption tasks. Therefore, before building Cyrus IMAP, youll need a working installation of Cyrus SASL.
7.7.1.1 Building and configuring the distribution
Cyrus IMAP is a complex package and most of the build and configuration options relate to how it handles mail, and not its authentication mechanism. Therefore, were going to focus on the particular
options necessary to enable GSSAPI support in Cyrus IMAP.
After acquiring the source distribution, untar it and the following configure line will configure Cyrus IMAP for GSSAPI and SASL support:
.configure --enable-gssapi=usrlocal --with-sasl=usrlocal
[ Team LiB ]
[ Team LiB ]