From: Jochen Hein <jochen@jochen.org>
To: ding@gnus.org
Cc: Lars Ingebrigtsen <larsi@gnus.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: gssapi authentication for nnimap
Date: Mon, 08 Feb 2016 21:59:37 +0100 [thread overview]
Message-ID: <831t8mgbpi.fsf@echidna.jochen.org> (raw)
In-Reply-To: <8737t3g4hk.fsf@gnus.org>
Lars Ingebrigtsen <larsi@gnus.org> writes:
> We do still have the gssapi.el file, so we could presumably get this
> stuff working again, if somebody with access to a server that uses
> gssapi could hack away at it a bit...
I've tried to follow thru the twisted maze of functions, but was not
successful. First, let's start with a log using gsasl to connect to my
imap server with telnet:
$ telnet imap.jochen.org imap
Trying fd23:e163:19f7:1234:216:3eff:feef:b5d4...
Connected to jupiter.jochen.org.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready
My server advertises both STARTTLS and AUTH=GSSAPI - I can use STARTTLS
and password authentication or GSSAPI. Let's try with gsasl (with
LANG=C, so the last two lines are not translated):
$ LANG=C gsasl imap.jochen.org imap --mechanism=GSSAPI --authentication-id=jochen@JOCHEN.ORG
Trying 'jupiter.jochen.org'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
. OK Completed
. STARTTLS
. OK Begin TLS negotiation now
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
. OK Completed
. AUTHENTICATE GSSAPI
+
YII...[lotsmorebas64]...EOsDQ==
+ YIG...[againbase64]...k+V86o=
+ BQQF/wAMAAAAAAAA...HRui4A=
BQQE/wAMAAAAAAAA.....YYR+jKQ3/PncQ==
. OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID=<jupiter.jochen.org-20677-1454962976-1-9320604477375554810>
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
So my guess is that we only need to start gsasl and get a session with
STARTTLS and authenticated with GSSAPI. Nice.
Using imtest with the options defined in gssapi.el gives me a non-TLS
session - at least I don't see any STARTTLS.
So the basic commands from gssapi.el seem to work nicely. The only
function in that file is open-gssapi-stream, so, how get I gnus to call
that function?
In
https://lists.gnu.org/archive/html/info-gnus-english/2012-06/msg00009.html
there's a diff, that uses nnimap-authenticator. Is that the right
option to use, or would be nnimap-stream better?
Anyway, I've modified that diff like that:
diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index 05251ed..aba48f3 100644
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -65,7 +65,7 @@ it will default to `imap'.")
(defvoo nnimap-stream 'undecided
"How nnimap talks to the IMAP server.
The value should be either `undecided', `ssl' or `tls',
-`network', `starttls', `plain', or `shell'.
+`network', `starttls', `plain', `gssapi' or `shell'.
If the value is `undecided', nnimap tries `ssl' first, then falls
back on `network'.")
@@ -408,6 +408,10 @@ textual parts.")
(nnheader-message 7 "Opening connection to %s via shell..."
nnimap-address)
'("imap"))
+ ((eq nnimap-stream 'gssapi)
+ (nnheader-message 7 "jk:Opening connection to %s via GSSAPI..."
+ nnimap-address)
+ '("imap"))
((memq nnimap-stream '(ssl tls))
(nnheader-message 7 "Opening connection to %s via tls..."
nnimap-address)
@@ -417,22 +421,26 @@ textual parts.")
login-result credentials)
(when nnimap-server-port
(push nnimap-server-port ports))
- (let* ((stream-list
- (open-protocol-stream
- "*nnimap*" (current-buffer) nnimap-address
- (nnimap-map-port (car ports))
- :type nnimap-stream
- :warn-unless-encrypted t
- :return-list t
- :shell-command nnimap-shell-program
- :capability-command "1 CAPABILITY\r\n"
- :always-query-capabilities t
- :end-of-command "\r\n"
- :success " OK "
- :starttls-function
- (lambda (capabilities)
- (when (gnus-string-match-p "STARTTLS" capabilities)
- "1 STARTTLS\r\n"))))
+ (let* ((stream-list
+ (if (eq nnimap-stream 'gssapi)
+ (open-protocol-stream
+ "*nnimap*" (current-buffer) nnimap-address
+ (nnimap-map-port (car ports)) nnimap-user)
+ (open-protocol-stream
+ "*nnimap*" (current-buffer) nnimap-address
+ (nnimap-map-port (car ports))
+ :type nnimap-stream
+ :warn-unless-encrypted t
+ :return-list t
+ :shell-command nnimap-shell-program
+ :capability-command "1 CAPABILITY\r\n"
+ :always-query-capabilities t
+ :end-of-command "\r\n"
+ :success " OK "
+ :starttls-function
+ (lambda (capabilities)
+ (when (gnus-string-match-p "STARTTLS" capabilities)
+ "1 STARTTLS\r\n")))))
(stream (car stream-list))
(props (cdr stream-list))
(greeting (plist-get props :greeting))
Now I get:
Warning: Opening nnimap server on jochen@jochen.org...failed: ; Unable
to open server nnimap+jochen@jochen.org due to: Wrong type argument:
listp, #<process *nnimap*>
Any idea how to wire that all together? My limited lisp knowledge isn't
really useful...
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
next prev parent reply other threads:[~2016-02-08 20:59 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-29 14:35 Florian Weimer
2016-02-06 6:40 ` Lars Ingebrigtsen
2016-02-07 17:16 ` Jochen Hein
2016-02-08 5:23 ` Lars Ingebrigtsen
2016-02-08 9:51 ` Jochen Hein
2016-02-08 20:59 ` Jochen Hein [this message]
2016-02-08 21:51 ` Andreas Schwab
2016-02-08 23:21 ` Jochen Hein
2016-02-08 23:47 ` Andreas Schwab
2016-02-09 6:22 ` Jochen Hein
2016-02-09 20:05 ` Jochen Hein
2016-02-09 23:31 ` Lars Ingebrigtsen
2016-02-10 4:16 ` Jochen Hein
2016-02-10 4:23 ` Lars Ingebrigtsen
2016-02-10 4:30 ` Lars Ingebrigtsen
2016-02-10 4:42 ` Jochen Hein
2016-02-10 4:50 ` Lars Ingebrigtsen
2016-02-10 21:37 ` Jochen Hein
2016-02-11 19:51 ` [PATCH] GSSAPI " Jochen Hein
2016-02-13 6:50 ` Lars Ingebrigtsen
2016-02-13 10:30 ` Jochen Hein
2016-02-14 2:25 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=831t8mgbpi.fsf@echidna.jochen.org \
--to=jochen@jochen.org \
--cc=ding@gnus.org \
--cc=fw@deneb.enyo.de \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).