Kerberos/GSSAPI Support in Jabber

The Jabber/XMPP protocol uses SASL for its authentication. This allows Kerberos to be used for authentication, through the GSSAPI SASL mechanism. Unfortunately, most clients and servers choose to implement their own DIGEST-MD5 and PLAIN SASL mechanisms, rather than using a SASL toolkit, so support for the GSSAPI mechanism is somewhat thin on the ground.

This page contains patches for the Jabber2 server, and a number of clients that were developed at the Division of Informatics, University of Edinburgh for their Jabber installation.

Jabber2 server

Code reinstating Cyrus SASL support has recently been integrated into jabber2's CVS repository, and will be included in the 2.1 release.

Patches for the 2.0 series are available below.

See the CyrusSASL and Kerberos entries in the jabber2 Wiki for details on configuring and managing a server with these patches.

Patch for jabberd-2.0s11
Patch for jabberd-2.0s9

Gaim

This patch adds support for using Cyrus SASL to the Gaim Jabber plugin. Configure with --enable-cyrus-sasl to add this functionality.

Note that there is currently a known problem with this patch and authentication mechanisms such as PLAIN which only do a single round. A revised patch will be posted shortly.

Patch for gaim-1.3.1 (will also apply to 1.4 and 1.5)

Psi

This patch enables the SASL support which is already present in the Iris library used by Psi. It fixes some bugs with this, and adds additional functionality required to implement SASL connections.

In order to use this code you will need to have the qca and qca-sasl libraries installed.

Patch for Psi 0.9.3

Coccinella

Coccinella has support for using the tclsasl library, which in turn uses Cyrus SASL. However, this support is disabled in the default build. The patch below renables tclsasl support.

However, note that this patch does not support falling back to try alternative SASL mechanisms. If the client and server both have GSSAPI support available, the client will try GSSAPI. If this fails for any reason (lack of credentials on the client, lack of server key on the server), then authentication will fail, without providing the user with the option of trying alternative authentication mechanisms.

Patch for Coccinella 0.95.8