Re: gssapi authentication for nnimap

[Jochen Hein <jochen@jochen.org>]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> We do still have the gssapi.el file, so we could presumably get this
> stuff working again, if somebody with access to a server that uses
> gssapi could hack away at it a bit...

I've tried to follow thru the twisted maze of functions, but was not
successful.  First, let's start with a log using gsasl to connect to my
imap server with telnet:

$ telnet imap.jochen.org imap
Trying fd23:e163:19f7:1234:216:3eff:feef:b5d4...
Connected to jupiter.jochen.org.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready

My server advertises both STARTTLS and AUTH=GSSAPI - I can use STARTTLS
and password authentication or GSSAPI.  Let's try with gsasl (with
LANG=C, so the last two lines are not translated):

$ LANG=C gsasl imap.jochen.org imap --mechanism=GSSAPI --authentication-id=jochen@JOCHEN.ORG
Trying 'jupiter.jochen.org'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
. OK Completed
. STARTTLS
. OK Begin TLS negotiation now
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
. OK Completed
. AUTHENTICATE GSSAPI
+
YII...[lotsmorebas64]...EOsDQ==
+ YIG...[againbase64]...k+V86o=

+ BQQF/wAMAAAAAAAA...HRui4A=
BQQE/wAMAAAAAAAA.....YYR+jKQ3/PncQ==
. OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID=<jupiter.jochen.org-20677-1454962976-1-9320604477375554810>
Client authentication finished (server trusted)...
Enter application data (EOF to finish):

So my guess is that we only need to start gsasl and get a session with
STARTTLS and authenticated with GSSAPI.  Nice.

Using imtest with the options defined in gssapi.el gives me a non-TLS
session - at least I don't see any STARTTLS.

So the basic commands from gssapi.el seem to work nicely.  The only
function in that file is open-gssapi-stream, so, how get I gnus to call
that function?

In
https://lists.gnu.org/archive/html/info-gnus-english/2012-06/msg00009.html
there's a diff, that uses nnimap-authenticator.  Is that the right
option to use, or would be nnimap-stream better?

Anyway, I've modified that diff like that:

diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index 05251ed..aba48f3 100644
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -65,7 +65,7 @@ it will default to `imap'.")
 (defvoo nnimap-stream 'undecided
   "How nnimap talks to the IMAP server.
 The value should be either `undecided', `ssl' or `tls',
-`network', `starttls', `plain', or `shell'.
+`network', `starttls', `plain', `gssapi' or `shell'.
 
 If the value is `undecided', nnimap tries `ssl' first, then falls
 back on `network'.")
@@ -408,6 +408,10 @@ textual parts.")
 	      (nnheader-message 7 "Opening connection to %s via shell..."
 				nnimap-address)
 	      '("imap"))
+	     ((eq nnimap-stream 'gssapi)
+	      (nnheader-message 7 "jk:Opening connection to %s via GSSAPI..."
+				nnimap-address)
+	      '("imap"))
 	     ((memq nnimap-stream '(ssl tls))
 	      (nnheader-message 7 "Opening connection to %s via tls..."
 				nnimap-address)
@@ -417,22 +421,26 @@ textual parts.")
            login-result credentials)
       (when nnimap-server-port
 	(push nnimap-server-port ports))
-      (let* ((stream-list
-	      (open-protocol-stream
-	       "*nnimap*" (current-buffer) nnimap-address
-	       (nnimap-map-port (car ports))
-	       :type nnimap-stream
-	       :warn-unless-encrypted t
-	       :return-list t
-	       :shell-command nnimap-shell-program
-	       :capability-command "1 CAPABILITY\r\n"
-               :always-query-capabilities t
-	       :end-of-command "\r\n"
-	       :success " OK "
-	       :starttls-function
-	       (lambda (capabilities)
-		 (when (gnus-string-match-p "STARTTLS" capabilities)
-		   "1 STARTTLS\r\n"))))
+	(let* ((stream-list
+		(if (eq nnimap-stream 'gssapi)
+		    (open-protocol-stream
+		     "*nnimap*" (current-buffer) nnimap-address
+		     (nnimap-map-port (car ports)) nnimap-user)
+		  (open-protocol-stream
+		   "*nnimap*" (current-buffer) nnimap-address
+		   (nnimap-map-port (car ports))
+		   :type nnimap-stream
+		   :warn-unless-encrypted t
+		   :return-list t
+		   :shell-command nnimap-shell-program
+		   :capability-command "1 CAPABILITY\r\n"
+		   :always-query-capabilities t
+		   :end-of-command "\r\n"
+		   :success " OK "
+		   :starttls-function
+		   (lambda (capabilities)
+		     (when (gnus-string-match-p "STARTTLS" capabilities)
+		       "1 STARTTLS\r\n")))))
 	     (stream (car stream-list))
 	     (props (cdr stream-list))
 	     (greeting (plist-get props :greeting))

Now I get:

Warning: Opening nnimap server on jochen@jochen.org...failed: ; Unable
to open server nnimap+jochen@jochen.org due to: Wrong type argument:
listp, #<process *nnimap*>

Any idea how to wire that all together?  My limited lisp knowledge isn't
really useful...

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.