294255Re: GSSAPI with SMTP client
- Jul 11 8:23 AMOn 07/11/2013 10:01 AM, Viktor Dukhovni wrote:
> On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:Viktor,
>> Just for posterity, I put together a set of instructions on how to do
>> this beginning to end here:
>> Though it uses FreeIPA you can easily just use straight kerberos tools
>> like kadmin.
> If active man-in-middle-attacks are a plausible risk, you should
> look into making TLS mandatory and authenticating the server.
> GSSAPI inside TLS currently does not perform channel binding, and
> so your session can be hijacked, after the client authenticates
> with GSSAPI. You can use "fingerprint" security if your server
> certificate is not signed by a usable CA.
> As for where to keep non-system keytabs, there is some precedent for
> using /var/spool/keytabs/.
> Finally, the main.cf fragment in the document does not indent the
> continuation lines for import_environment correctly. I would also
> avoid the double-spacing.
Thanks for giving it a read through and for the feedback. I'll make some
adjustments. However, do you have a bit more info about what you mean by
channel binding? A link, something along those lines just so I can
understand the concepts here.
- << Previous post in topic Next post in topic >>