Thunderbird:Supported authentication methods: Difference between revisions
(Request kerberos auth.) |
m (Add category info) |
||
| (14 intermediate revisions by 4 users not shown) | |||
| Line 2: | Line 2: | ||
Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here. | Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here. | ||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=17578 HTTP/GSSAPI auth] | *[http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html IMAP/GSSAPI in thunderbird 1.5?] | ||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=307788 IMAP/GSSAPI implemented?] | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Request for HTTP/GSSAPI auth] (implemented in 1.7) | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=308118 Request for LDAP/GSSAPI auth] | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=133939 Request for SOCKS5/GSSAPI] | |||
== IMAP == | == IMAP == | ||
TB supports IMAP | TB supports negotiation of authentication method via IMAP, though I'm not sure which methods it supports of MD5, crypt, GSSAPI etc. | ||
== SMTP == | == SMTP == | ||
I guess this is similar to IMAP auth. | I guess this is similar to IMAP auth. negotiation. | ||
== POP3 == | == POP3 == | ||
*RFC 1939 - POP3 protocol description | |||
*RFC 1734 - POP3 Authentication description | |||
== NTLM | == SASL == | ||
* RFC 2222 - SASL Specification, section 7.2 describes SASL-GSSAPI | |||
* RFC 4752 - updated SASL GSSAPI spec - describes use of SASL with GSSAPI/KRB5 and GSSAPI/SPNEGO mechanisms. | |||
Thunderbird 1.5 beta has support for SASL/GSSAPI support. The client must first have a valid Kerberos ticket and the server must also support SASL/GSSAPI authentication in order to succeed. [http://www.washington.edu/imap UW IMAP Server] has support for SASL/GSSAPI, as does the [http://www.dovecot.org/ Dovecot] system. | |||
== NTLM and SPNEGO == | |||
GSSAPI authentication, either with SPNEGO tokens or with GSSAPI | |||
Kerberos V5 tokens, is attemtped if the server responds to the | |||
initial page request with a message that requests authentication | |||
and includes the "Auth: Negotiate" HTTP Header line. The client | |||
must have access to a valid Kerberos ticket or it won't even attempt | |||
to send the exchange. On Windows, NTLM auth may be attempted in the absence of | |||
valid Kerberos credentials. | |||
See some details here: | |||
*[https://bugzilla.mozilla.org/attachment.cgi?id=134505 IETF Internet draft (expired) describing HTTP Auth Negotiation] | |||
*RFC 2478 - Original SPNEGO specification (broken and outdated as of Fall 2005) | |||
*RFC 4178 - (coming soon) official SPNEGO specification. | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=17578 GSSAPI negotiation support added to Mozilla] | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=303160 SASL/GSSAPI support added to Thunderbird ] | |||
*[http://blogs.sun.com/roller/page/wyllys?entry=kerberos_web_authentiation_with_apache Configure GSSAPI auth for Mozilla and Apache (on Solaris)] - also describes IIS and IE configuration. | |||
== General == | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=240643 Try the last successful authentication method first.] | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=237586 NegotiateAuth support in SSPI for Windows] | |||
== GSSAPI implementations == | |||
*RFC 2743 - GSSAPI V2 | |||
*RFC 2744 - GSSAPI V2 C-Bindings | |||
*MIT | |||
*Sun | |||
*Heimdal | |||
*[https://bugzilla.mozilla.org/show_bug.cgi?id=286030 GNU] | |||
[[category:Thunderbird|*]] | |||
Latest revision as of 18:29, 16 April 2009
Kerberos
Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here.
- IMAP/GSSAPI in thunderbird 1.5?
- IMAP/GSSAPI implemented?
- Request for HTTP/GSSAPI auth (implemented in 1.7)
- Request for LDAP/GSSAPI auth
- Request for SOCKS5/GSSAPI
IMAP
TB supports negotiation of authentication method via IMAP, though I'm not sure which methods it supports of MD5, crypt, GSSAPI etc.
SMTP
I guess this is similar to IMAP auth. negotiation.
POP3
- RFC 1939 - POP3 protocol description
- RFC 1734 - POP3 Authentication description
SASL
- RFC 2222 - SASL Specification, section 7.2 describes SASL-GSSAPI
- RFC 4752 - updated SASL GSSAPI spec - describes use of SASL with GSSAPI/KRB5 and GSSAPI/SPNEGO mechanisms.
Thunderbird 1.5 beta has support for SASL/GSSAPI support. The client must first have a valid Kerberos ticket and the server must also support SASL/GSSAPI authentication in order to succeed. UW IMAP Server has support for SASL/GSSAPI, as does the Dovecot system.
NTLM and SPNEGO
GSSAPI authentication, either with SPNEGO tokens or with GSSAPI Kerberos V5 tokens, is attemtped if the server responds to the initial page request with a message that requests authentication and includes the "Auth: Negotiate" HTTP Header line. The client must have access to a valid Kerberos ticket or it won't even attempt to send the exchange. On Windows, NTLM auth may be attempted in the absence of valid Kerberos credentials.
See some details here:
- RFC 2478 - Original SPNEGO specification (broken and outdated as of Fall 2005)
- RFC 4178 - (coming soon) official SPNEGO specification.
- Configure GSSAPI auth for Mozilla and Apache (on Solaris) - also describes IIS and IE configuration.
General
GSSAPI implementations
- RFC 2743 - GSSAPI V2
- RFC 2744 - GSSAPI V2 C-Bindings
- MIT
- Sun
- Heimdal
- GNU