Ejabberd 2.1.13 with GSSAPI/Kerberos authentication for Ubuntu 12.04 LTS (Precise Pangolin) available

I’m currently working with the maintainers of the Debian ejabberd package to add GSSAPI/Kerberos support. As it will be surely be a while before the new packages find their way into the Debian repository, and even longer until they find their way into Ubuntu, I’ve created a PPA containing packages for the current version of ejabberd (2.1.13 at the time of writing) with the GSSAPI/Kerberos patch and the esasl module on which the GSSAPI patch relies.

The PPA can be added to your system manually by copying the lines below and adding them to your system’s software sources.

deb http://ppa.launchpad.net/ngroot/ejabberd-gssapi/ubuntu precise main 
deb-src http://ppa.launchpad.net/ngroot/ejabberd-gssapi/ubuntu precise main 

If you would find packages for another distribtion of Ubuntu to be useful, please comment and I will try to accommodate your request.

GSSAPI/Kerberos authentication in PIdgin

I’ve been working on creating an ejabberd package with mikma/badlop’s XMPP GSSAPI support patch applied. I wanted to use Pidgin as a client to test it. Pidgin claims to support Kerberos authentication, but I was unable to find documentation on how to set it up.

After digging through the source of the Jabber authentication module in libpurple, I figured out what was going on: there is no explicit “use Kerberos” option in the settings for an account. If a server lists GSSAPI as one of its supported mechanisms, the logged-in user has valid Kerberos credentials in their cache, and the appropriate SASL GSSAPI libraries are installed on the client machine, then it will use Kerberos for authentication.

The installation of the SASL GSSAPI libraries was what initially tripped me up. At the time of writing, the documentation does not appear to mention this. Since Pidgin does not know that you want Kerberos authentication for an account, no error is generated if they are not installed; it simply tries to use one of the other authentication mechanisms available.

On Debian and its derivatives (e.g., Ubuntu), this can be resolved by installing the libsasl2-modules-gssapi-heimdal or libsasl2-modules-gssapi-mit package, as appropriate for the Kerberos implementation on your machine.