Bug 14928 - RFE: support for logging in with GSSAPI/Kerberos
Summary: RFE: support for logging in with GSSAPI/Kerberos
Status: NEW
Alias: None
Product: Telepathy
Classification: Unclassified
Component: gabble (show other bugs)
Version: unspecified
Hardware: Other All
: medium enhancement
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords: NEEDINFO
: 18471 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-03-09 23:30 UTC by Matej Cepl
Modified: 2014-06-25 06:40 UTC (History)
11 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matej Cepl 2008-03-09 23:30:05 UTC
Especially with XMPP which is deployed in many corporate settings (my employer is a weird example, where Jabber plays a second fiddle to IRC ;-)) it would be quite useful for Telepathy to be able to work there with authentication via Kerberos.
Comment 1 Ted Gould 2008-03-10 19:42:09 UTC
How does that work?  Are you sharing the token with the login or getting a new token?
Comment 2 Simon McVittie 2008-03-11 02:34:44 UTC
I believe none of the Telepathy upstream developers use Kerberos.

For the necessary D-Bus API changes, you or another Kerberos user would need to tell us what information needs to be transferred from the GUI to the implementation in order to do the login (if at all possible, we want all state transferred to the CM to be explicit, rather than picking it up from files/the environment/daemons/whatever).

Someone would likely also need to patch Loudmouth (the XMPP library we use) to be able to do Kerberos authentication.
Comment 3 Matej Cepl 2008-03-11 07:18:16 UTC
(In reply to comment #1)
> How does that work?  Are you sharing the token with the login or getting a new
> token?

Yes, I have to run kinit before running IM client (unfortunately, I really hate it, but the only IM client which supports Kerberos is pidgin; yuck).

Matěj
Comment 4 Jan Oravec 2008-03-13 07:38:35 UTC
I guess the best way would be to use some SASL library which abstract sign in mechanism.

I am not sure, which application (telepathy-gabble or IM client) would have to actually read kerberos token.
Comment 5 Matej Cepl 2008-03-13 07:48:30 UTC
(In reply to comment #4)
> I guess the best way would be to use some SASL library which abstract sign in
> mechanism.

I heard a lot of good things about cyrus-sasl, which supports (among all other methods) also GSSAPI.
Comment 6 Matej Cepl 2008-03-14 07:24:28 UTC
(In reply to comment #2)
> I believe none of the Telepathy upstream developers use Kerberos.

Would telepathy-haze be able to use gaim ability to use cyrus-sasl-gssapi?
Comment 7 Will Thompson 2008-03-14 07:28:44 UTC
Well, haze exposes (I believe) all of the account options you can set in Pidgin for each protocol.  So, if you use the exact same settings as you would in Pidgin to make an XMPP connection with haze, it should work.

The exception would be if Pidgin pops up extra dialogs during connection to request credentials or something – haze doesn't support that part of libpurple just yet, so the connection would never be established.  But, maybe it's worth a shot anyway.
Comment 8 Dax Kelson 2008-11-10 11:53:58 UTC
*** Bug 18471 has been marked as a duplicate of this bug. ***
Comment 9 Dax Kelson 2008-11-10 11:58:56 UTC
In Empathy you can't create an account without a password defined. If you could, then ma(In reply to comment #7)
> Well, haze exposes (I believe) all of the account options you can set in Pidgin
> for each protocol.  So, if you use the exact same settings as you would in
> Pidgin to make an XMPP connection with haze, it should work.

In Pidgin you set *no* password and then assuming you have cyrus-sasl-gssapi installed then it will attempt a GSSaPI/Kerberos login if the server supports it.

One problem is that Empathy does NOT support defining an account without a password. If a password is set (an incorrect one), it doesn't appear to then try GSSAPI.

> The exception would be if Pidgin pops up extra dialogs during connection to
> request credentials or something – haze doesn't support that part of
> libpurple just yet, so the connection would never be established.  But, maybe
> it's worth a shot anyway.

As long as you've done a "kinit" ahead of time to login to Kerberos (or used pam_krb5), then there are no extra dialog popups.
Comment 10 Jelmer Vernooij 2008-12-23 20:54:08 UTC
I've contributed GSSAPI support to loudmouth that's landed in the master branch and will hopefully end up in Loudmouth 1.5.
Comment 11 Dax Kelson 2011-02-28 22:49:08 UTC
With GNOME 3.0 coming out soon and empathy being tightly integrated, I would REALLY love to see GSSAPI support.

It looks like the loudmouth GSSAPI support was to no avail as telepathy-gable is is where the XMPP action is nowadays.

Any update on this bug?
Comment 12 Dax Kelson 2011-02-28 23:12:06 UTC
(In reply to comment #11)

> It looks like the loudmouth GSSAPI support was to no avail as telepathy-gable
> is is where the XMPP action is nowadays.

For folks that find this via google, "wocky" provides XMPP for Empathy via gable.
Comment 13 Simon McVittie 2012-03-01 07:20:30 UTC
Returning to this a year later:

telepathy-gabble now supports offloading SASL to an external process (a Handler for SASLAuthentication channels). An Empathy component which uses gnome-keyring and/or an interactive prompt is more or less the reference implementation (I believe it's called empathy-auth internally). There's also one in Maemo/MeeGo Harmattan on the N9, and I believe there's another in Telepathy-KDE.

The purpose of offloading these things into an external UI is that that UI can prompt the user for passwords, tokens or whatever else they're expected to provide; if Kerberos/GSSAPI authentication is non-interactive, you could try it first without showing any UI, though.

Gabble is now almost entirely SASL-mechanism-agnostic: it just proxies the list of available SASL mechanisms, and the SASL handshake for the chosen mechanism, onto D-Bus. The exceptions are when you do simple password authentication, either by providing a password before you connect or using the X-TELEPATHY-PASSWORD pseudo-mechanism (designed to make implementation of trivial clients easier); in either of those cases, Gabble still does the SASL handshake internally, using one of its supported mechanisms (which I believe are still limited to PLAIN or DIGEST-MD5).

So, if your XMPP server exposes Kerberos or GSSAPI as an ordinary SASL mechanism, I believe it should now be possible to implement Kerberos or GSSAPI in the SASLAuthentication Handler (password-prompting UI), without changes to Gabble. I'd suggest modifying the SASLAuthentication Handler in Empathy as a good starting point.
Comment 14 Matej Cepl 2012-03-13 11:54:41 UTC
(In reply to comment #13)
> So, if your XMPP server exposes Kerberos or GSSAPI as an ordinary SASL
> mechanism,

Is it how http://xmpp.org/rfcs/rfc6120.html#tls works?


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.