RE: Cosign and cyrus imap and IMP

["Brett Lomas" <b.lomas@xxxxxxxxxxxxxx>]

OK,

Just wondering how you guys got it working ;) I notice the fowardable
tickets. I was wonder if I might investigate the ability to do something
like the following:

1. Keep the primary TGT on the cosign server(s).
2. On an authorized RETR request, generate a TGT for THAT host and send
that.

I am not sure if this is do-able or not, but I am thinking of investigating
this a little, because this will mean someone who compromises the web server
will only be able to become these users from that host, which is marginally
safer.

Brett

-----Original Message-----
From: Wesley D Craig [mailto:wes@xxxxxxxxx] 
Sent: Sunday, 7 November 2004 11:46 a.m.
To: Brett Lomas
Cc: cosign-discuss@xxxxxxxxx
Subject: Re: Cosign and cyrus imap and IMP

On 06 Nov 2004, at 16:01, Brett Lomas wrote:
> But, the problem I am having is mainly with Kerberos, in reality, 
> because
> the tickets are tied to the cosign server, and thus will not work on 
> the web
> server with my IMP and IMAP proof of concept (more of a kinda 
> it-can-be-done
> than POC). I cannot see how you guys get around it, other than perhaps 
> your
> Kerberos server gives out address-less tickets by default???

Perhaps.  We used to put an option in our krb5.conf file to the effect 
that we wanted an address-less ticket:

	noaddresses = true

I don't see that there, now.  There's a block of Kerberos options set 
in cosign/cgi/cgi.c:

	krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
	krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
	krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
	krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );

Perhaps we need to add this:

	krb5_get_init_creds_opt_set_address_list( &kopts, NULL );

If it works for you, we can certainly add it.

:wes