Password authentication using Kerberos (possibly via SASL)

I’‘m evaluating Wildfire here at MIT, and one of the features we need is the ability to authenticate passwords against our Kerberos KDC. (We also need proper GSSAPI authentication for the clients that support it; thankfully, that’‘s already in and I’‘ve gotten it working.) I believe that’'s not currently possible; the authentication providers I saw can use the native DB, an external DB, a POP server, or an LDAP server.

I think it should be relatively simply to create an auth provider which creates a SaslServer with the “PLAIN” mechanism type and feeds in the username and password. Assuming the provider is configurable to do password auth against the KDC (which I’‘m guessing it is, though I’'ll have to look into that further).

Would the Wildfire developers be receptive to adding such a provider to the tree if I send in a reasonable implementation?


Always some small problem.

To create a SaslServer instance, I need to know the server name. AuthProviders do not get access to the session object which is the normal path for obtaining the server name.

It might be relatively simple to change the AuthProvider interface to include a session argument in the authenticate methods; that could have implications for custom AuthProvider components if those are supported.


Okay, has no PLAIN handler, so my idea was a dead end.

However, I found a way to do what I want, more or less, without code modifications using PAM authentication under Unix. The steps:

  1. In /opt/wildfire, copy resources/nativeAuth/linux-i386/ to lib

  2. In /opt/wildfire/conf/wildfire.xml, configure the native auth provider:

  3. Create /etc/pam.d/xmpp with:

auth required no_user_check

This is on an RHEL3 machine with the pam_krb5 package installed. The only wart is that Shaj is calling pam_setcred, which causes pam_krb5 to write out a credentials cache in /tmp. Not really a problem, but not desirable either. I couldn’'t find a way to turn that off in pam_krb5.

May be stupid question, but i did all this to bring my wildfire to work generally with pam (wants to check against the regular userdatabase). But after adding this (with different pam.d of course) i dont get “any” feedback. That means client tells me that password is probably wrong or someone else uses that account, but not in any wildfire logfile or in the auth.log of the system any effect…

Someone got an idea about this? would help very much