GS2-KRB5 using GNU SASL and MIT Kerberos for Windows

I have blogged about GNU SASL and GS2-KRB5 with the native Kerberos on Mac OS X before, so the next logical step has been to support GS2-KRB5 on Windows through MIT Kerberos for Windows (KfW). With the latest release of GNU SASL 1.5.2 I have added support for the KfW GSS-API library. There were several issues in completing this due to problems with KfW, but I won’t bore you with those details.

What is important is to demonstrate how GNU SASL can now talk IMAP authenticated with GS2-KRB5 using KfW on native Windows. Continue reading

Announcing krb5dissect

Building on my earlier efforts to document the ccache format, I’ve now created the krb5dissect tool. It will parse your Kerberos ccache file (typically /tmp/krb5cc_$UID) and prints it in a human readable format.

This tool was written in about 1 hour, given the amazing amount of nice modules available from gnulib, and helpful tools such as gengetopt and help2man. Kudos!

Update! Version 2.0 can do the same for Kerberos keytab files (typically /etc/krb5.keytab).

Kerberos 5 Credential Cache file format

Reading MIT/Heimdal Kerberos V5 credential files seemed like a good first step towards making Shishi more usable. Users will be able to continue using their existing Kerberos V5 applications and libraries, but will be able to gradually move to Shishi. This has actually been on the todo-list for Shishi since day one. A few months ago, Michael B Allen wrote up a specification of the keytab file format (i.e., the file format used by /etc/krb5.keytab), and I implemented it in Shishi. Now, that file contains hostkeys, and is thus only useful for servers. To be able to read the end-user credential files would be more useful. I fired up M-x hexl-find-file RET on /tmp/krb5cc_1000, and with the help of Michael’s prior work, I came up with the following file format description and basic implementation.

Kerberos ccache file format writeup

Parse ccache files, header file

Parse ccache files, source