lib/60320: libsaslc: gssapi mech should support loading keytabs

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/60320: libsaslc: gssapi mech should support loading keytabs
From: "campbell+netbsd%mumble.net@localhost via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Tue, 9 Jun 2026 22:40:00 +0000 (UTC)

>Number:         60320
>Category:       lib
>Synopsis:       libsaslc: gssapi mech should support loading keytabs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 09 22:40:00 +0000 2026
>Originator:     Taylor R Campbell
>Release:        current, 11
>Organization:
The NetSASLC Credentials, Inc.
>Environment:
>Description:

	libsaslc(3) can be used as a gssapi/krb5 client with a
	credential cache, as shown in the man page
	<https://man.netbsd.org/NetBSD-11.x-BRANCH/libsaslc.3#GSSAPI%20AND%20KERBEROS>:

>    Here we have assumed the submission port is the port the server is lis-
>    tening to.  Finally, as root, run the command
>
>          su -m postfix -c kinit
>
>    to obtain a ticket for the postfix user with the postfix credential and
>    you should be good to go!

	This is a little silly for a service daemon that happens to be
	running as a client.  Typical practice with Kerberos is for
	service daemons to have their own long-term keys stored in a
	keytab file, as the server side of the same example does.

	It should be possible for the libsaslc client to start with a
	keytab too, instead of having to run `su -m postfix -c kinit'
	every time you want to make postfix relay mail.  If this can be
	done with the KRB5_KTNAME environment variable, it would be
	nice if the example demonstrated that.  If not, it would be
	nice if there were a way to do this, e.g. with
	saslc_sess_setprop to set a keytab path, maybe using libkrb5 or
	using the gssapi credential store extensions
	(https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions,
	supported in not-yet-released heimdal too).

	Also: the man page example doesn't actually work; postfix fails
	with, e.g.:

> Jun  8 19:25:31 singbulli postfix/smtp[22014]: fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter

	But it is sufficient to set, say:

		smtpd_sasl_password_maps = static:postfix

	Other minor issues in the man page:

	1. kstash is not recommended these days -- needless UI
	   complexity for defence against threat model better handled
	   by disk encryption

	2. various `kadmin add' arguments can, and for batch scripts
	   should, be abbreviated to `--use-defaults'

	3. root-owned /etc/krb5.keytab shouldn't be necessary for the
	   server side; postfix-owned file under /var/spool/postfix or
	   /var/db/postfix might make the configuration tidier

>How-To-Repeat:

	read libsaslc(3) man page
	try to set up postfix as client with gssapi/krb5

>Fix:

	Yes, please!

Prev by Date: Re: kern/60318: reproducable bpfjit crash
Previous by Thread: Re: standards/60308 (Make is missing SPDX license indetifiers)
Indexes:

Home | Main Index | Thread Index | Old Index