Chapter 39 - The heimdal_gssapi authenticator
The heimdal_gssapi authenticator provides server integration for the Heimdal GSSAPI/Kerberos library, permitting Exim to set a keytab pathname reliably.
server_hostname | Use: heimdal_gssapi | Type: string† | Default: see below |
This option selects the hostname that is used, with server_service,
for constructing the GSS server name, as a GSS_C_NT_HOSTBASED_SERVICE
identifier. The default value is $primary_hostname
.
server_keytab | Use: heimdal_gssapi | Type: string† | Default: unset |
If set, then Heimdal will not use the system default keytab (typically /etc/krb5.keytab) but instead the pathname given in this option. The value should be a pathname, with no “file:” prefix.
server_service | Use: heimdal_gssapi | Type: string† | Default: smtp |
This option specifies the service identifier used, in conjunction with server_hostname, for building the identifier for finding credentials from the keytab.
1. heimdal_gssapi auth variables
Beware that these variables will typically include a realm, thus will appear to be roughly like an email address already. The authzid in $auth2 is not verified, so a malicious client can set it to anything.
The $auth1 field should be safely trustable as a value from the Key Distribution Center. Note that these are not quite email addresses. Each identifier is for a role, and so the left-hand-side may include a role suffix. For instance, “joe/admin@EXAMPLE.ORG”.
-
$auth1: the authentication id, set to the GSS Display Name.
-
$auth2: the authorization id, sent within SASL encapsulation after authentication. If that was empty, this will also be set to the GSS Display Name.